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I.  INTRODUCTION 


Recognizing  tne  relationship  between  policies  and 
mechanisms  has  been  a  problem  In  tne  specification  and 
design  of  many  computer  systems.  Vnat  Is  needed  is  a  simple 
methodology  for  assessing  the  suitability  of  a  protection 
mechanism  to  enforce  a  non-dlscretlonary  security  policy. 
Such  a  methodology,  based  upon  the  entity-relationship  model 
and  designed  with  validation  of  security  enforcement  as  its 
primary  objective,  is  presented. 

Defined  as  the  assignment  technique,  this  mathematically 
oriented  metnodology  establishes  a  relationship  between  tne 
information  sensitivities  of  the  systems  entitles 
(partitioned  according  to  tne  policy  constraints),  to 
dominance  domains  (inherently  established  by  a  mechanism). 
The  assignment  technique  provides  a  means  for  mecnanlsm 
sufficiency  validation,  since  the  results  of  the  assignment 
can  be  evaluated  to  determine  wnetner  tne  constraints  of  tne 
policy  are  met. 

Mechanisms  are  defined  as  procedural  specifications  that 
prevent  tne  occurrence  of  operations.  Protection  mechanisms, 
then  control  a  subject's  access  to  an  object,  by  adhering  to 
some  procedural  specification  of  access  rules.  Policies, 
however,  are  generally  stated  la  a  non-procedural  form.  This 


leads  to  a  problem  In  translating  policies  Into  mecnanisms, 
and  In  verifying  the  accuracy  of  this  translation. 

Only  non-dlscretlonary  security  policies  are  discussed 
In  detail.  Sucn  policies.  However,  are  extremely  important 
wnen  dealing  witn  protection  of  business  Information  as  well 
as  National  Security.  Computer  systems  designed  to  provide 
Command,  Control  and  Communications  must  rely  upon  effective 
non-discreti onary  security  If  tney  are  to  be  of  any  value  to 
National  Defense  [lj .  Compromise  and  subversion  policies  [2J 
precisely  define  tne  requirements,  but  tne  suitability  of  a 
protection  mecnanlsm  to  meet  tnese  requirements  is  not 
always  apparent,  A  tneoretical  foundation  from  wnlch  tnls 
suitability  may  be  simply  and  readily  derived  is 
established. 

A.  BACKGROUND 

Non-discretionary  policies  for  tne  security  of  sensitive 
information  have  existed  throughout  the  annals  of  history. 
The  basis  of  these  policies  lies  in  a  subject  (i.e.,  an 
active  entity)  bein*  prohibited  modification  or  observation 
of  an  object  (i.e.,  a  repository  for  information  or  Inactive 
entity)  based  upon  the  subject's  membership  in  a  specified 
croup.  This  eroupin*  is  established  external  to  tne  system 
in  which  it  will  be  used. 

The  first  computer  systems  dealt  with  the  problem  of 
security  by  establishing  physical  protection  perimeters. 


Walls,  locSs  and  marines  with  rines  provided  the 
environment  necessary  for  system  security.  Tnis  was  an 
acceptable  procedure  because  there  were  relatively  few  users 
of  tae  system  and  eacn  user  was  trusted  not  to  violate  tne 
security  policies.  Security  was  an  issue  external  to  tne 
computer  itself. 

However,  as  computer  technology  became  more 
sophisticated,  user  expectations  increased.  Policy-maters 
established  security  policies  and  expected  their  macnlnes  to 
adaere  to  them  without  exception.  The  security  perimeters 
that  had  been  established  external  to  tne  computer,  were  now 
to  be  established  internally. 

Tnis  lei  to  two  fields  of  research.  One  group,  tne 
experimentalists,  attempted  to  design  ingeniously  contrived 
mecnanisms  wita  little  or  no  concern  for  tae  policies  wnicn 
their  mechanism  would  support.  Mathematicians,  on  the  other 
nand,  set  about  tne  tast  of  modeling  policies  in  a  fasnion 
that  would  establish  a  foundation  for  the  procedural 
specification  of  protection  mechanisms.  The  relationship 
between  these  models  and  the  mechanisms  was  not  always 
clear. 

What  is  needed,  and  wnat  is  presented  nere,  is  a  simple, 
complete  and  consistent  means  of  establishing  that  a 
mecnanism  actually  enforces  tne  policy-maters' 
specifications.  This  is  done  by  first  giving  the 
policy-mater  a  tool  to  precisely  describe  nls  policy  and 
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then  giving  tne  systems  designers  and  analysts  a  ter 
to  evaluate  the  sufficiency  of  their  mechanism  to  s 
this  policy. 

A  careful  examination  of  tae  fundamental  natu 
non-discretionary  security  policies  and  prot 
mechanisms  is  made.  This  examination  is  based  largely 
the  findings  of  research  associated  witn  security 
technology  [3j .  Tne  results  of  this  examination  snow  w 
is  about  mechanisms  that  actually  provides  the  prot 
and  what  protection  is  actually  provided.  In  so  do 
theoretical  mathematical  foundation  is  established 
which  the  science  of  secure  computation  may  proceed  t 
tne  requirements  of  tne  policy-mater  in  a  simple,  e 
and  efficient  manner. 
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B.  RELATED  WORE 

Research  in  establishing  the  suitability  of  protection 
mechanisms  to  meet  non-discretionary  security  policies  is 
practically  non-existent.  Protection  mechanisms  are  usually 
presented  in  an  informal  manner  with  implementation  details 
dominating  the  discussion  [4] .  Policies,  on  tne  other  hand, 
are  generated  by  persons  wno  rarely  give  consideration  to 
the  implementation  of  these  policies  in  a  computer  system. 
Tne  disparity  between  tnese  two  groups  nas  led  to  little 
research  in  methodologies  for  bridging  the  broad  gap  between 
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security  policies  and  protection  mecnanlsms,  and  even  less 
results. 

The  notion  of  domains  originated  with  Dennis  and  Van 
Horn  [5J  and  tneir  concept  of  spneres  of  protection.  Tnis 
idea  was  Improved  upon  by  Lampson  [6,7J  wno  coined  tne  term 
’’domain"  and  noted  tne  usefulness  of  domains  as  a  conceptual 
tool  for  understanding  protection  mecaanlsms.  Scnroeaer  L-J 
made  use  of  tnese  ideas  to  design  a  protection  mecnanism 
t&at  would  allow  mutually  suspicious  subsystems  to  cooperate 
in  a  single  computation. 

Popes  [9J  modeled  tne  nature  of  access  control  wi tn  ni s 
restriction  eraphs.  Bell  and  LaPadula  {.10J  made  a 
significant  contribution  wnen  tney  identified  a  matnemati cal 
framework  witain  waich  to  deal  wlta  tne  problems  of  secure 
computer  systems.  Tneir  work  was  based  upon  general  systems 
taeory  and  finite  state  automata.  Furtek  [ilj  established  a 
similar,  less  known,  mathematical  framework  based  upon  tae 
theory  of  constraints.  Tae  Bell  and  LaPaduia  work  was 
followed  by  Walters  [12J  development  of  a  lattice  model  for 
security  policies.  This  model  was  refined  and  later 
popularized  by  Dennine  [13]  such  that  today,  nearly  all 
practical  policies  nave  been  recognized  as  lattice  policies. 

Saltzer  and  Schroeder  [14]  presented  a  tutorial  on  the 
basic  principles  of  protection  in  computer  systems.  Conen 
[15],  however,  provides  a  far  more  rieorous  discussion  of 
protection  mecaanlsms  wniie  Groans'  [16]  research  provides 


considerable  insight  Into  a  number  of  details  regarding 
access  relations. 


Mucn 

of 
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[12. 

1?J  .  As  such. 

tne  autnors 

rarely 

discused 

tne 

motivation  for  tneir  efforts.  It  was  Sc&eil  UJ ,  nowever, 
wno  dramatically  described  tne  Importance  of  tne  computer 
security  in  a  modern  electronic  environment.  Recognition  of 
tne  significance  of  tnls  problem  motivated  tne  researcn 
reported  nere. 

C.  ORGANIZATION 

The  relationsnlp  between  security  policies  and 
protection  mechanisms  is  not  obvious.  In  order  to  explore 
this  relationship,  one  must  clarify  tne  meaning  of  security 
and  protection.  Only  by  methodically  examining  each  and 
every  pertinent  principle  can  one  nope  to  establish  a 
mathematical  framework  which  unifies  the  security  policy 
issues  with  the  protection  mecnanisms'  design. 

The  nature  of  non-discretionary  security  policies  is 
considered  first.  The  meaning  of  access  relations  is 
explored  and  commonly  known  policies  are  discussed. 

Next,  a  formalized  notion  of  domains  is  presented.  A 
succinct  mathematical  definition  of  a  domain  is  offered.  The 
notion  of  an  (access-mode)  domain  and  dominance  domains  are 


13 


introduced  as  tools  for  precisely  ccaracteri zing  protection 
mechanisms. 

Section  four  discusses  tne  tneoretical  oasis  l'or 
assignment.  The  assignment  technique  is  explained  and  a 
means  for  simplifying  tne  tne  number  of  assignment  scnemes 
needed  to  establish  the  insufficiency  of  a  mechanism  to 
support  some  particular  policy  is  derived. 

Section  five  presents  detailed  applications  of  simple 
assignment  snowlne  the  usefulness  of  the  assignment 
tecnnique  particularly  vitn  respect  to  mecnanism  sufficiency 
validation.  Section  five  dispells  mucn  of  tne  mystery  teat 
surrounds  tne  ad  noc  design  of  secure  computer  systems. 

Every  attempt  has  been  made  to  provide  the  reader  with  a 
clear  understanding  of  tne  principles  of  the  assignment 
technique.  Readers  are  encouraged  to  question  these  findings 
and  indeed,  the  fundamentals  upon  which  they  are  based.  Only 
in  so  coin*,  can  one  nope  to  grasp  tne  meaning  of  tne 
principles  presented  and  the  utility  of  the  assignment 
technique  in  establishing  a  foundation  for  secure  computer 
systems . 


II.  NON -DISC RET  ION ART  SECURITY  POLICIES 


Tnis  section  provides  a  detailed  examination  as  to  tne 
nature  of  non-discretionary  security  policies  after  first 
discussing  several  pertinent  concepts  concerning  policies  in 
general.  Some  of  tne  issues  presented  may  appear  to  confuse 
policy  Issues  vitn  mecnanism  issues.  Hopefully,  tnis 
confusion  will  be  resolved  as  tne  reader  obtains  a  thorough 
understanding  of  tne  lnnerently  isomorpnic  nature  of 
policies  and  mechanisms,  as  substantiated  in  tne  ensuing 
discussion. 

A.  THE  NATURE  OF  A  POLICY 

The  fundamental  nature  of  a  policy  has  not  been  clearly 
established  in  tne  Computer  Science  field.  For  example, 
Wulf ,  Cohen,  Jones  and  otners  suggest  that  a  policy  is  a 
mechanism  wnen  discussing  HYDRA  [19J .  Jones  subsequently 
discusses  how  protection  mechanisms  can  be  used  to  enforce 
security  policies  [19 J .  On  tne  otner  nand,  Cohen  defines  a 
policy  as  a  problem  in  his  doctoral  dissertation  [15]  but, 
enumerates  several  protection  problems  associated  vitn  one 
security  policy  [15].  Such  confusion  among  such  a  closely 
related  group  of  computer  scientists  specializing  in 
operating  system  security  is  by  no  means  an  isolated 
situation. 
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Snyder  [20J  mases  note  of  tnis  problem  stating  tnat 
capa bill ty-based  protection  systems  designers  rarely 
consider  tbe  security  policies  tnelr  system  may  implement. 
Througnout  tbe  computer  security  literature,  one  may  observe 
that  the  nature  of  a  policy  and  now  it  relates  to  the 
protection  issues  discussed,  is  often  Ignored.  Pernaps  tnis 
is  because  the  nature  of  security  policies  themselves,  and 
the  suitability  of  protection  mechanisms  to  meet  tnese 
policies  is  not  clearly  understood.  It  is  the  Intent  of  this 
author  to  address  this  problem.  In  order  to  do  so,  one 
begins  by  formalizing  tne  notion  of  a  policy. 

A  policy  Is  a  specification  of  benavlor.  Sucn  a 
specification  constrains  the  activities  witnin  a  system  by 
establishing  a  distinction  between  acceptable  and 
unacceptable  behavior  for  some  set  of  classes  established  by 
the  policy,  iifhen  dealing  with  the  security  issue,  tne 
classes  (i.e.,  access  classes)  are  simply  labels  wnicn  tne 
policy  uses  to  distinguish  between  groups  of  system 
entities.  So  a  security  policy  specifies  a  set  of  access 
classes  and  identifies  tne  acceptable  behavior  between  them. 

Enforcement  of  policies  may  be  realized  in  a  number  of 
ways.  In  general,  any  means  of  security  enforcement  internal 
to  the  computer,  may  be  considered  to  be  a  protection 
mechanism.  As  such,  implementation  details  are  generally 
ignored. 
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Tne  term  behavior  generally  implies  that  an  active 
entity  is  dealing  vita  some  other  entity  or  entities.  So  one 
can  distinguish  between  two  types  of  entitles  with  respect 
to  security  policy  specifications.  One  type  is  those 
entities  whose  benavlor  is  being  controlled.  These  are  tne 
active  entities  within  tne  system  and  are  referred  to  as 
"subjects".  The  otner  type  is  tnose  wltn  wmcn  tne  subject 
Interacts  during  execution  that  are  not  subjects,  but  rather 
are  simply  repositories  of  information  [12J .  These  are  tne 
passive  entities  within  the  system  referred  to  as  "objects". 

A  process  is  characterized  by  an  address  space  and  an 
execution  point  or  state  of  its  virtual  processor.  It  is 
important  to  note  tne  distinction  between  processes  and 
subjects  as  these  two  terms  are  often  incorrectly  considered 
to  be  synonyomous.  A  subject  is  Implemented  as  a 
process-domain  pair  [6,7, 8).  One  must  talce  care  not  to 
confuse  tnese  two  terms. 

Much  confusion  has  been  associated  with  the  issue  cf 
policy  enforcement.  A  policy  may  be  completely  enforced  in  a 
system,  partially  enforced  in  a  system  or  not  enforced  at 
all.  Partial  enforcement  applies  only  to  complex  policies 
for  wnlcn  sub-policies  can  be  formulated  and  enforced. 
Partial  enforcement  does  not  imply  enforcement  of  a  policy 
only  under  certain  conditions,  or  at  certain  times,  wmcn 
is,  in  fact,  no  enforcement  at  all.  Partial  enforcement 
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refers  to  enforcement  of  a  sub-policy  witnin  tne  context  of 
the  overall  policy. 

Policies  are  not  problems  [15J  .  Problems  occur  only  in 
the  implementation  of  a  policy  and  are  used  to  describe 
pitfalls  in  tne  enforcement  of  some  policy  of  interest. 

Applying  some  policy  to  a  system  mates  no  changes  to 
tnat  system  at  tne  time  of  application.  Tnis  means  tnat 
policies  do  not  initially  alter  the  entities  with  which  they 
deal.  Ratner,  entities  are  assigned  to  an  access  class 
according  to  the  policy.  If  an  entity  is  assigned  to  an 
access  class  sucn  tnat  its  attributes  require  modification, 
or  its  relationships  are  invalid,  or  the  entity  itself  does 
not  belong  witnin  tne  system,  tne  system  is  not  in 
compliance  with  the  policy.  Action  may  be  taicen  later  to 
bring  tne  system  into  compliance,  but  simply  associating  tne 
policy  witn  tne  system,  in  effect,  only  labels  tne  system 
entities. 

Recognizing  tne  nature  of  a  policy  is  important  if  one 
is  interested  in  enforcement  of  policies  in  computer 
systems.  This  is  because  tne  logical  nature  of  a  computing 
device  dictates  a  logical  specification  of  policy.  Having 
clearly  described  tne  nature  of  a  policy  in  general,  one  may 
now  examine  security  policies. 


B.  SECURITY  POLICIES 


Security  policies  are  generally  grouped  into  two  broad 
classes.  Non-discretionary  security  policies  (sometimes 
referred  to  as  mandatory  policies),  are  policies  which  fix 
tne  classification  of  information  sensitivities  and 
establisn  all  permissible  access  relations  (vi2.,  subjects 
gaining  some  form  of  access  to  objects)  according  to  tnese 
information  sensitivities.  Sucn  a  policy  is  generally 
considered  to  externally  constrain  wnat  access  is 
permissible  [3J.  Enforcement  of  a  policy  requires  tnat  tne 
sensitivity  of  all  objects  and  tne  autnori zat ions  of  all 
subjects  be  clearly  identified. 

Discretionary  policies,  in  a  sense,  provide  a  finer 
granularity  of  access  control  vitnln  tne  constraints  of  tne 
non-discretionary  policies  of  tbe  system  [3J  .  Autftorization 
to  access  information  and  specification  of  source 
information  access  classes  are  made  outside  of  tbe  computer 
environment.  A  policy  is  discretionary  vnen  a  subject  vitn 
access  to  an  object  may  exercise  its  discretion  in  making 
tnat  object  available  to  some  otner  subject.  As  sucn,  tne 
information  sensitivity  of  an  object  is  decided  in  a 
discretionary  or  arbitrary  manner.  Tnis  tends  to  produce 
"spaghetti  bowl"  policies  where  tne  information 
sensitivities  of  objects  is  not  easy  to  determine.  The 
sensitivity  of  objects  is  constantly  cnanging  in  an 
arbitrary  manner  which  may  not  be  readily  observable  or 
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controllable.  Sucn  policies  are  not  practical  vnen  dealing 
wltn  many  of  tne  National  Defense  issues.  Because  of  their 
limited  utility,  discretionary  policies  are  not  as 
interestin?  as  non-discretionary  policies  nor  is  their 
enforcement  sucn  a  critical  issue. 

Only  non-discretionary  security  policies  are  examined  in 
tnis  discussion.  It  is  snown  tnat  all  non-discretionary 
security  policies  can  be  represented  as  lattice  security 
policies. 

C.  LATTICE  SECURITY  POLICIES 

A  number  of  non-discretionary  security  policies  nave 

already  been  described  as  lattice  policies  [12,21J .  As  sucn, 

tne  precise  form  of  the  lattice  structure  is  nelpful  in 

understanding  tne  nature  of  tne  policy  [19J . 

A  universally  bounded  lattice  is  a  mathematical 

structure  consisting  of  a  finite,  partially  ordered  set  for 

which  tnere  exists  precisely  one  least  common  upper  element 

(i.e.,  tne  least  upper  bound  (LUB))  and  precisely  one 

greatest  common  lower  element  (i.e.,  tne  greatest  lower 

bound  (3 LB))  [22,23j .  A  partially  ordered  set,  is  a  set,  3, 

for  which  a  relation,  R,  is  applied  to  Q  sucn  tnat  R  is 

reflexive,  antisymmetric  and  transitive  [22 J .  For  example, 

consider  the  set  <3*1  q,,  q  „,  q  .  q,  }  and  tne  relation  R 

12  3  4 

applied  to  0  sucn  tnat  Rq 2  (i.e.,  q^  is  related  to  q^  by 

relation  R),  q  Rq  .  q  Rq,  ,  q  Rq,  ,  and  q  Rq  .  Tne  relation  R 
131424  34 
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forms  a  lattice  on  tne  set  Q  vita  q  as  toe  GLB  ana  q.  as 

l  H 

the  LtJB. 

When  discussing  lattice  security  policies,  one 
recognizes  tae  set  0  as  tae  set  of  access  classes 
established  by  tae  policy.  The  access  relation  fl,  however, 
may  vary  significantly  from  policy  to  policy.  Tnis  fact  is 
not  so  well  recognized.  Dennings  information  rlow  model 
[13J  ,  for  example,  describes  a  flow  relation,  defined 

on  pairs  of  access  classes  such  that  for  classes  A  and  £,  A 
— 3  if  and  only  if  information  in  class  A  is  permitted  to 
flow  into  class  B.  This  relation  applies  to  compromise  and 
subversion  policies,  for  example,  out  is  meaningless  vnen 
discussing  program  integrity. 

Three  relations  between  access  classes  are  generally 
sufficient  to  describe  the  specifications  of  any 
non-discretionary  security  policy.  For  access  classes  A  and 
B,  these  are  : 


A  >  B  Information  of  access  class  A 
is  more  sensitive  tnan 
information  of  access  class  B 

A  *  B  Information  of  access  class  A 
is  of  the  same  sensitivity  as 
information  of  access  class  B 

A  n  B  Information  of  access  class  A 
is  in  no  way  related  to 
Information  of  access  class  B 


The  notion  of  sensitivity  may  be  easily  confused  when 
discussing  several  policies.  Tnis  is  because  tne  term  taxes 
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its  meaning  from  the  policy  in  question  and  cannot  be 
readily  associated  vitn  two  diverse  policies.  For  example, 
an  object  0  may  be  >  a  subject  S  with  respect  to  one  policy, 
#  witn  respect  to  another  policy,  and  S  >  0  witn  respect  to 
still  another  policy.  Sensitivity,  then,  may  not  De  useful 
for  discussing  multiple  policy  Issues.  It  is  however,  a 
useful  intuitive  term  for  describing  the  lattice  nature  of  a 
poll cy . 

This  author  advances  the  hypothesis  that  all 
non-discreti onary  security  policies  may  be  represented  as 
lattice  policies.  A  simple  argument  is  offered  in  support  of 
this  hypothesis  as  a  complete  proof  has  not  been  developed. 

Non-dlscretlonary  security  policies  are  estaciished 
external  to  the  computer  system  environment.  As  such,  they 
define  some  form  of  benavior  between  subjects  and  objects 
from  which  the  system  may  not  deviate  without  external 
authoritative  approval.  The  system  entities  (i.e.,  the 
subjects  and  objects)  must  be  clearly  labeled  or  otherwise 
identified  witn  respect  to  the  policy.  Grouping  those  system 
entitles  whose  labels  are  identical,  one  may  establish  a  set 
of  equivalence  classes  wnich  completely  partition  the 
systems'  entitles.  One  may  tnint  of  these  equivalence 
classes  as  labeled  by  the  access  classes.  Such  a 
partitioning,  for  all  practical  policies  and  systems  is 
f ini te. 
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One  nay  tften  examine  the  relations  between  access 
classes  witn  respect  to  tne  policies.  Enumerating  ail  tne 
relations  between  access  classes,  one  may  draw  a  graph,  such 
as  tnat  snown  in  figure  l,  witn  nodes  signifying  access 
classes  and  arcs  signifying  that  tne  access  class  of  tne 
higher  node  (i.e.,  closer  to  the  top  of  the  page)  is  more 
sensitive  (>)  tnan  tne  access  class  of  tne  lower  node. 
Transitive  relations  need  not  be  drawn  as  tneir  inclusion  is 
implicit  and  does  not  affect  tne  grapn. 


Figure  1.  Disjoint  Partially  Ordered  Sets  and  Nodes 

If  any  cycles  are  discovered,  in  an  attempt  to  construct 
tne  grapn,  one  may  see  tnat  tne  specification  of  policy  is 
not  enforceable.  That  is  to  say,  for  some  cycle  of  access 
classes  A  >  B  >  . ..  >  Z  >  A,  tne  information  sensitivity  of 
some  access  class  A  Is  at  the  same  time  >  A  and  -  A.  This  is 
a  paradox.  Attempting  to  enforce  such  a  specification  is 
intuitively  nonsense!  So  if  one  Is  to  nave  a 
noa-dlscretionary  security  policy,  viz.,  one  wnicn  Is  to  be 
enforced  In  a  mandatory  fashion,  one  may  safely  assume  tnat 
tne  policy  will  specify  no  cyclic  relations  among  tne  access 


classes.  Tnerefore,  one  may  categorically  state  teat  tne 
grape  of  any  enforceable  non-dl sere tlonary  security  policy 
will  never  contain  any  cycles. 

Furtner  examining  tne  grapn,  one  can  observe  teat  only 
two  general  structures  may  exist.  Tne  first  consists  of 
unrelated  nodes  (i.e.,  tnose  nodes  wnlcn  are  singletons 
representing  access  classes  wi tn  no  relations  to  ctner 
access  classes  in  tne  eraph).  Tne  otner  structures  are 
partially  ordered  sets  (some  of  wnlcn  may  be  a  lattice). 


If  tne  grapn  does  not  contain  a  least  upper  bound, 
(LOB),  one  may  arbitrarily  create  an  access  class  so 
designated  and  establisn  tne  appropriate  relations  wltn 
respect  to  Its  sensitivity  (see  figure  2).  Tnis  access  class 
may  also  be  referred  to  as  tne  "system  nlgn."  Likewise,  one 
may  do  the  same  for  tne  greatest  lower  bound  (SLB)  which  is 
generally  icnown  as  tne  "system  low."  Note  tnat ,  neitner  tne 
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LUB  nor  tne  3LB  nesa  nave  any  entitles  associated  with  their 
access  class.  By  forming  this  structure,  one  has  established 
a  lattice. 

Thus,  all  non-dlscretionary  security  policies  are 
lattice  security  policies.  Non-dlscretionary  security 
specifications  tnat  generate  cyclic  structures  are  not  well 
formed  policies  and  as  sucn,  tneir  enforcement  car.not  te 
evaluated  nor  can  one  consider  sucn  a  specification  to  be  a 
policy  worthy  of  discussion. 

D.  SIMPLE  LATTICE  SECURITY  POLICIES 

A  policy  is  a  "simple  lattice  policy”  vnen  tne  policy 
establishes  either  one  of  two  basic  lattice  structures.  The 
first  structure  is  formed  by  a  simply  ordered  (viz., 
linearly  ordered  or  totally  ordered)  set  of  access  classes. 
For  example,  some  policy  might  establish  a  simply  ordered 
structure  wnere  SECRET  is  more  sensitive  than  (>) 
CONFIDENTIAL  >  UNCLASSIFIED.  Policies  with  simply  ordered 
sets  of  access  classes  are  called  "hierarchical  policies." 

The  other  basic  lattice  structure  is  formed  by  a 
mutually  exclusive  set  of  access  classes.  For  example,  some 
policy  might  establish  a  mutually  exclusive  structure  where 
CRYPTO  is  not  related  to  (#)  NATO  *  NUCLEAR.  Those  policies 
with  mutually  exclusive  sets  are  called  "category  policies." 
One  should  note  that,  a  "compartment"  access  class,  e.g., 
CRYPTO-NATO,  is  formed  when  some  restricted  form  of  access 
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Is  available  to  two  or  more  otnerwlse  mutually  exclusive 
categories  of  information. 

Recall  t&at  a  lattice  security  policy  partitions  toe 
systems  entities  witn  respect  to  taeir  information  sensitiv¬ 
ities,  into  a  set  of  equivalence  classes  tnat  can  be  labeled 
by  tne  access  classes.  Consider  any  two  lattice  security 
policies,  P  and  P  ,  and  some  system  containing  a  non-empty 
set  of  entities,  A.  Wnen  P  is  applied  to  tne  system, 
a  partition,  ir  ,  is  estabiisned  creating  tne  set  of 

equivalence  classes,  {  e  .  e„ ,  ...,  e  ,  ...,  e  }.  Applying 

12  i  n 

P2  to  this  system  so  partitioned,  refines  tne  system 
producing  a  unique  partitioning  m.  tt  tnen,  is  simply  tne 
product  of  ,  tne  partition  induced  by  P  and  ir2,  tne 


partition  induced 

ny  p2  • 

So 

for  each 

V 

an 

equivalence 

class  created  by 

Px.  a 

new 

set  of  equivalence  classes, 

'  e  il*  ei2  *  *  *  *  • 

ein  >• 

is 

produced 

• 

Tne 

partition 

v  forms  a  la tti ce , 

viz . , 

tna  t 

i nduced 

by 

the 

composl te 

policy  P. 

It  readily  follows  tnat  all  lattice  security  policies 
are  the  prodtrct  of  one  or  more  simple  lattice  policies.  Tne 
total  non-discretlonary  security  package  for  a  system  then, 
consists  of  some  set  of  simple  lattice  security  policies 
successively  refining  tne  systems  entities,  none  of  wnicn 
may  produce  conflicting  policies.  This  is  snown  to  be 
particularly  useful  Knowledge  when  one  attempts  to  use  tne 
assignment  technique  as  a  means  of  security  validation. 
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E.  ACCESS  RELATIONS 

Any  specific  non-dlscretlonary  security  policy  will 
distlnguisn  one  or  more  distinct  access  relations  between 

i 

subjects  and  objects.  Associated  wltn  tnese  distinctions  one 
may  derive,  wnere  not  otaerwise  specified,  tne  set  of 
"access  rignts"  wnlcn  may  be  accorded  to  tne  subject.  Tnese 
access  rignts  specify  tne  liberties  wnlcn  tne  subjects  may 
taxe  wltn  respect  to  tnese  objects.  Access  rignts  are 
typically  mirrored  In  tne  "access  modes"  of  tne 
correspondine  protection  mecnanlsm.  Although  there  exists  a 
fine  difference  between  an  "access  right”  and  an  "access 
mode",  viz.,  "access  rights"  are  associated  with  security 
policies  and  "access  nodes”  are  associated  wltn  tne 
protection  mechanisms  wnlcn  enforce  tne  policy,  this 
discussion  frequently  refers  to  an  "access  rlgnt”  as  an 
"access  mode"  because  it  is  tne  access  mode  wnlcn  must 
inevitably  be  questioned  when  evaluating  the  enforcement  of 
a  security  policy. 

Tbe  enforcement  of  a  policy  is  fundamentally  limited  by 
tne  system's  granularity  of  access  wnlcn  may  also  be  tnougnt 
of  as  tne  system's  variety  or  richness  of  access  modes. 
Policies  tnat  prescribe  distinctions  not  recognized  by  tne 
access  control  mecnanisms  must  be  enforced  In  an  overly 
restrictive  manner  or  lenored.  For  example,  a  policy 
addressing  a  concatenation  access  relation  cannot  oe 
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precisely  enforce!  on  a  system  that  does  not  recognize  some 
f o rm  of  append  access  mode. 

The  basis  of  all  security  enforcement  evaluation  lies  in 
tne  acceptability  of  an  access  relation.  An  access  relation 
is  defined  as  a  tuple  (subject,  access  mode,  object).  This 
tuple  signifies  that  a  relation  between  tne  subject  and 
object  exist  sucn  that  tne  subject  is  permitted  to  access 
tne  object  witn  all  the  privileges  associated  with  the 
access  mode.  The  problem  of  information  security  may 
generally  be  expressed  as  tne  problem  of  permitting  the 
existence  of  only  those  access  relations  that  in  no  way 
violate  any  of  the  applicable  systems  policies. 

One  can  see  then,  that  tne  granularity  of  access  control 
within  a  system  is  dependent  upon  the  ability  to  distinguish 
attributes  of  subjects  and  objects  plus  tne  distinct  access 
modes  available.  The  primitive  access  modes  (i.e.,  tnose 
access  modes  tnat  are  not  decomposable  by  the  system) 
associated  with  the  design  of  the  system,  including  the 
protection  mechanisms,  designate  tne  associated  rights 
accorded  to  an  access  request. 

When  tne  granularity  of  access  is  successively  refined, 
one  may  observe  two  conflicting  phenomena.  First,  the 
ability  to  distinguish  between  access  relations  is  more 
pronounced,  thus  allowing  for  greater  sophistication  and 
variety  in  policy  formulation.  The  problem,  however,  is  that 
tne  increased  distinctions  of  access  relations  increases  tae 
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complexity  of  the  security  evaluation  process.  Systems 
designers  are  face!  wltn  tne  problem  of  striding  a  balance 
between  tbe  granularity  oi  access  and  tne  complexity  of 
system  security  validation. 

This  nas  not  deterred  tne  efforts  of  many  systems 
designers*  nowever,  as  tne  granularity  of  subjects  and 
objects  is  quite  refined  in  many  systems,  unfortunately, 
sucn  systems,  almost  witnout  exception,  nave  failed  to 
enforce  even  minimal  non-discretionary  security  policies. 

Two  generic  access  modes  are  particularly  useful  in  tne 
discussion  of  security.  Tnese  are  [16J  "observe"  (the 
ability  to  observe  information)  and  "modify"  (tne  ability  to 
modify  information).  Otner  access  modes  may  be  generally 
thought  of  as  a  finer  granularity  of  tnese  two  access  modes. 
Figure  3  illustrates  one  sucn  possible  set  of  primitive 
access  modes  and  how  they  are  associated  with  the  generic 
access  modes. 

^^^Modlfy 

te  Append 

Figure  3.  Generic  Access  Modes 

The  problem  of  computer  security  enforcement  can  be 
reduced  to  tne  problem  of  limiting  the  access  relations 
within  tne  system  to  only  tnose  that  neither  directly  nor 
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indirectly  violate  the  systems  security  policies.  If  one  can 
establish  that  all  of  the  access  relations  permitted  In  tne 
system  are  acceptable  to  tne  policy,  one  has  established 
that  the  system  Is  "secure." 


F.  ILLUSTRATION  OF  POLICIES 

In  reviewing  tne  computer  science  literature,  tnls 
author  was  unable  to  discover  any  Illustration  forms 
appropriate  for  showine  the  features  of  non-discretionary 
security  policies  in  sufficient  detail  that  one  could 
readily  discern  all  permissible  access  relations  within  the 
system  simply  by  examining  tne  illustration  alone.  This 
section  presents  a  review  of  tne  major  forms  examined  and 
their  failure  to  adequately  illustrate  access  relations.  It 
also  provides  two  proposed  alternative  forms  that  more 
clearly  illustrate  access  relations  of  a  system  in  a  manner 
which  leaves  no  doubt  as  to  the  nature  of  the  policy  and  the 
requirements  for  its  enforcement. 


Figure  4.  Basic  Lattice  Form 


Fieure  4  shows  a  representation  for  a  lattice  structure 
commonly  found  In  mathematical  texts  [22,23J .  Wltn  respect 
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to  lattice  security  policies,  each  node  represents  an  access 
class  and  tne  arcs  signify  tnat  tne  node  nearer  the  top  of 
tne  page  represents  an  access  class  wnicn  is  more  sensitive 
than  the  lower  nodes'  access  class.  Thus,  in  figure  4  one 
may  observe  tnat  A  >  D  and  B  *  A.  Sometimes  tnese  arcs  are 
labeled  by  ”>"  symbols,  but  tnis  merely  tends  to  clutter  tne 
illustration  and  provides  no  additional  information.  Note 
tnat  this  form  provides  no  information  reearlin*  access 
relations  without  some  examination  of  the  policy  tnat  is 
being  illustrated,  e.g.,  one  cannot  readily  answer  tne 
question  "can  a  subject  of  access  class  4  write  to  an  object 
of  access  class  D?" 

The  form  shown  in  figure  5  [12, 13] ,  provides  basically 
tne  same  information.  Tnis  form  illustrates  tne  permissible 
information  flow  that  is  immediate  and  non-reflexive  by 
means  of  directed  arcs.  Nodes  are  once  again  used  to 
represent  access  classes.  Access  relations  are  still 
non-discerni bie  by  examination  of  tne  illustration  alone. 


xTv 

IXBxf 
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Figure  5.  Information  Flow  Form 
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Another  form  which  is  popular  in  capability-based 
protection  systems  researcn  [24] ,  illustrated  in  figure  6, 
is  called  a  protection  grapn  [20] .  Tnese  grapns  specify  eacn 
subject  as  a  solid  node,  and  eacn  object  as  an  empty 
node,  "o".  Tne  directed  arcs  between  nodes  specify  tne 
access  rights  of  tne  source  by  tne  associated  labels.  This 
form  provides  an  extremely  detailed  means  of  representing 
all  access  relations  witbin  tne  system.  Unfortunately,  tnis 
form  provides  such  detail  that  an  illustration  of  any 
practical  system  becomes  exceedingly  busy.  Thus  one  quicsiy 
loses  tne  ability  to  distinguish  between  access  classes  even 
when  they  are  clearly  labeled.  What  is  needed  is  needed  is  a 
nigner  order  of  abstraction  for  tne  presentation  of 
practical  systems. 
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Figure  7  represents  tne  first  illustration  forn  proposed 
by  tnis  autnor  called  an  "access  relation  grape".  In  tnis 
form,  eacn  node  represents  an  access  class  as  specified  by 
tne  policy.  All  non-reflexive  immediate  access  relations 
[13]  between  access  classes  (except  tuose  tnat  may  be 
establisned  by  forming  a  transitive  closure  over  some  given 
access  mode(s))  are  grouped  by  access  mode  and  snown  as 
directed  arcs  labeled  by  tbe  associated  access  mode(s).  Tftis 
form  solves  tne  problem  of  tne  protection  grapn  for 
non-discreti onary  security  policy  representation  by 
providing  tne  minimum  information  necessary  for  one  to  fully 
grasp  all  tne  security  implications  of  the  policy  from  a 
single  illustration. 


Figure  7.  Access  Relation  Grapn 
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An  access  relation  graph  clearly  snows  all  permissible 
access  relations  specified  by  a  non-discretionary  security 
policy.  Refleiive  relations,  i.e.,  tnose  with  a  subject  of 
tne  same  access  class  as  tne  object,  need  never  be 
specifically  cited  unless  all  access  modes  are  not  permitted 
within  an  access  class.  Antisymmetric  relations  are  clearly 
defined  by  tne  directed  arcs.  Transitive  relations  are 
inferred  from  tne  patn  of  two  or  more  antisymmetric 
relations  (viz.,  in  figure  ?  a  subject  of  tne  LUB  access 
class  may  read  from  an  object  of  tne  3LB  access  class). 
Therefore,  tne  form  meets  tne  mathematical  requirements  for 
a  lattice  in  that,  all  access  relations  for  tne  lattice 
(i.e.,  a  universally  bounded  partially  ordered  set)  are 
clearly  illustrated. 

In  its  most  delineated  case,  tne  access  relation  graph 
is  reduced  to  a  protection  graph.  Tne  advantage  of  tne 
access  relation  graph  over  tne  protection  graph  is 
simplicity.  Only  tne  access  relations  needed  to  represent 
tne  policy  are  snovn.  Additionally,  complex  policies  and 
composite  policies  are  illustrated  in  one  simplified  form. 

Another  illustration  form  tnat  is  particularly  useful 
when  discussing  uniform  lattice  structures  (i.e.,  tnose 
access  relation  graphs  where  tne  access  modes  between  any 
two  antisymmetric  access  classes  are  Identical)  is  tne 
linear  access  graph.  Such  a  graph  snows  tne  security 
label(s)  of  the  objects  (i.e.,  now  one  represents  tne 


sensitivity  of  the  object)  arid  denotes  the  access  modes 
available  to  subjects  of  varying  sensitivity  vitn  respect  to 
the  sensitivity  of  the  objects.  Figure  “(A)  illustrates  a 
simple  general  linear  access  grapn.  In  tms  figure,  subjects 
with  greater  sensitivity  than  the  objects  sensitivity  would 
enjoy  the  use  of  access  mode(s)  2  when  referencing  that 
object.  Subjects  of  inferior  sensitivity  than  tne  objects 
sensitivity  would  enjoy  the  use  of  access  mode(s)  1  when 
referencing  that  object.  Subjects  of  tne  same  sensitivity  as 
the  object  would  enjoy  access  modes  1  and  2  when  referencing 
the  object.  The  linear  access  graph  for  tne  Multics  Ring 
Brackets,  first  pointed  out  to  the  author  by  R.  Schell,  is 
snown  as  an  example  of  a  familiar  policy  represented  in  this 
form  in  figure  8(B). 

access  mode(s)  1 

System  [Security  Sys tern  | 

1  High _ _ Label  I  Low 

access  mode (s)  2 

(A) 

execute 

I  tRlng  0  r jyj  R2* j _ B£j 

1  write _ J  call  as  a  gate 

real 


(B) 

Figure  S.  Linear  Access  Graphs 
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Tne  disadvantage  of  tne  linear  access  grapn  is  tnat  it 
may  only  be  used  for  illustration  of  uniform  policies,  i.e., 
tnose  policies  wnere  tne  access  relations  between  any  two 
access  classes  (one  of  wnicn  is  more  sensitive  tnan  tne 
otner)  are  identical.  Tne  succinct  nature  of  tnis  form, 
however,  mates  it  possible  to  capture  tne  essence  of  a  class 
of  policies,  i.e.,  tnose  wnicn  may  be  described  by  tne  same 
linear  access  graph,  witnout  going  into  ail  the  details. 

G.  EXAMPLE  POLICIES 

Having  discussed  tne  nature  of  policies  in  general,  one 
is  now  prepared  to  examine  several  specific  policies  of 
interest.  Sucn  a  discussion  logically  begins  wltn  tne  two 
broadest  classes  of  security  policies,  i.e.,  compromise  and 
subversion. 

Modify _ 

Upper  |Sensitivi ty  Lower  { 

1  Limits  _ Label  |  Limits 

b  bserve 

Figure  9.  Compromise  Policy. 

A  compromise  policy,  sometimes  referred  to  simply  as  a 
security  policy,  is  one  wnose  primary  intent  is  to  prohibit 
the  unauthorized  observation  of  information.  Figure  9  show 
the  general  form  of  sucn  a  policy.  Subjects  may  observe  only 
tnose  objects  wnose  sensitivity  is  less  tnan  or  equal  to  tne 
subject's  sensitivity  in  order  to  prevent  direct  observation 
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tne  Simple 


of  an  object  by  an  unauthorized  subject,  viz., 

Security  Condition  [10J .  In  order  to  prevent  Indirect 
observation  of  objects  by  unauthorized  subjects,  a 
sufficient  but  not  necessary  condition  establishes  that 
modification  of  objects  must  at  least  be  limited  to  tnose 
subjects  whose  sensitivity  is  less  than  or  equal  to  the 
objects  sensitivity,  viz.,  tne  (Security)  Confinement 
Property  —  also  Jtnown  by  a  less  descriptive  title  as  tne 
^-Property  flli] . 

A  subversion  policy,  sometimes  referred  to  simply  as  an 
integrity  policy,  is  tne  dual  of  a  compromise  policy.  The 
primary  Interest  of  a  subversion  policy  Is  to  prohibit  tne 
unauthorized  modification  of  information.  Figure  10 
illustrates  these  general  characteristics.  Subjects  may 
modify  only  those  objects  whose  sensitivity  is  less  than  or 
equal  to  tne  subject's  sensitivity  in  order  to  prevent 
direct  modification  of  an  object  by  an  unauthorized  subject, 
viz.,  tne  Simple  Integrity  Condition  [21J  .  In  order  to 
prevent  indirect  modification  of  objects  by  unauthorized 
subjects,  a  sufficient  but  not  necessary  condition  is  that 
observation  of  objects  must  be  limited  to  tnose  subjects 
whose  sensitivity  is  less  than  or  equal  to  the  object's 
sensitivity,  viz.,  the  Integrity  Confinement  Property  [21J . 


Figure  10.  Subversion  Policy. 

Tne  Importance  of  subversion  policies  should  not  te 
underestimated  [2,21j.  Changing  the  course  of  an  ICE^,  for 
example,  saouid  in  most  cases  require  a  more  sensitive 
authorization  than  simply  Knowing  its  course.  Sucn  policies, 
nowever,  are  often  overlooked  in  many  Command,  Control,  and 
Communications  systems  [2J . 

Anotaer  general  class  of  policies  taat  is  of  general 
interest  in  Security  Kernel  researcn,  and  waose  title  was 
coined  during  tne  course  of  tnis  researcn  effort  by  R. 
Schell,  are  tae  "Program  Integrity"  policies  [4j .  Tae  notion 
of  program  integrity  stems  from  tne  desire  to  pronlbit 
unauthorized  modification  of  executable  programs  by  less 
trustvortny  subjects.  In  tne  general  case,  one  wishes  to 
ensure  that  the  more  sensitive  programs  are  "tamperproof.” 
In  otner  words,  one  wants  to  be  sure  taat  tne  program  can  ce 
"trusted"  to  perform  as  specified  and  can  uot  be  "tricked" 
by  merely  reading  lata  of  lower  sensitivity  or  "importance." 
For  example,  a  system  designer/programmer  may  wish  to  insure 
that  his  programs  always  perform  as  specified  in  both  nis 
test  environment  and  in  any  application  environment.  Unlike 
a  strict  integrity  policy  [21J  ,  program  integrity  is  not 
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concerned  with  the  Issue  of  general  observa  tlor.  of 
information.  Program  integrity  is  tnerefore  less 
conservative  (and  tnus  more  "risiry")  tnan  Bibas  integrity 
policy.  Program  integrity  deals  only  witn  execution  and 
modification  of  information.  As  sucn,  figure  11  illustrates 
tie  general  form  of  a  program  integrity  policy. 


^  _ Execute _ 

Upper  | Sens! ti vi ty  Lower  1 

lLlml  ts _  Label  1  Limits 

Modify 


Figure  11.  Program  Integrity  Policy. 


One  may  guarantee  tnat  no  direct  modification  of  a 
program  by  an  unauthorized  subject  (i.e.,  a  direct  threat' 
is  possible  by  enforcement  of  tne  following  condition  : 


Simple  .Program  In te^rl-ty  Coa.lillo.iL  :  If  a  subject 
has  modify  access  to  an  object,  tnen  tne  program 
integrity  of  the  subject  is  greater  than  or  equal 
to  the  program  integrity  of  tne  object. 


Because  program  integrity  policies  are  concerned  with 
tne  execution  issue  (versus  tne  observation  issue  [ElJ  ) , 
indirect  modification  of  information  is  not  strictly 
prohibited.  This  provides  a  certain  degree  of  flexibility, 
but  also  produces  a  certain  amount  of  risn  (.19]  .  Confinement 
of  execution  reduces  tne  risx  of  sucn  an  indirect  tnreat  but 
does  not  eliminate  it.  A  more  sensitive  subject  must  be 
trusted  not  to  modify  a  less  sensitive  object  eitner 
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intentionally  or  otnerwise.  An  indirect  tnreat  occurs  when  a 
subject  executes  a  program  that  das  been  modified  by  a  less 
trustvortny  subject,  tnerefore,  one  visnes  to  confine  tne 
execution  access  relations.  The  confinement  property  for 
program  integrity  is  defined  as  follows  : 

Program  Integrity  Confinement  Property  :  If  a 
subject  nas  execute  access  to  an  object,  tnen  tne 
program  integrity  of  tne  object  is  greater  tnan  or 
equal  to  tne  program  integrity  of  the  subject. 


Tne  remainder  of  tne  section  discusses  tnree  policies  of 
general  interest  to  federal  ADP  users.  Any  computer  system 
designed  for  use  by  tne  federal  government,  snould  as  a 
minimum,  consider  its  ability  to  enforce  these  policies. 

1 .  Matlonal  Security  Policy 

The  National  Security  Policy  classifies  information 
essential  to  the  National  Defense  or  foreign  relations  of 
the  United  States.  The  President  of  tne  United  States 
established  tnis  policy  in  Executive  Order  Number  12065 
dated  June  25,  1975  125].  This  order  defines  three  levels  of 
classification  as  follows  : 


TOP  SECRET  :  That  information  or  material  the 
unauthorized  disclosure  of  wnicn  could  reasonably 
be  expected  to  cause  exceptionally  grave  damage  to 
the  national  security. 

SECRET  :  Tnat  information  or  material  tne 
unauthorized  disclosure  of  which  could  reasonably 
be  expected  to  cause  serious  damage  to  the 
national  security. 
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CONFIDENTIAL  ;  That  information  or  material  tne 
unauthorized  disclosure  of  wnicn  could  reasonably 
be  expected  to  cause  damage  to  tne  national 
security. 

Implicit  in  tnis  set  of  definitions,  tnere  also 
exists  a  classification  of  information  wnicn  is  not 
classified.  Tnerefore,  one  nas  four  nierarcnical  access 
classes  establisned  by  tnis  policy,  tne  intent  of  wnicn  is 
to  prevent  unauthorized  disclosure  (viz.,  observation)  of 
information  so  classified.  Figure  12  snows  tne  access 
relation  grapn  for  tnis  compromise  policy  wnicn  is  referred 
to  as  tne  basic  National  Security  Policy. 

Executive  Order  12065  also  estabilsnes  [25J  tne 
authority  to  originally  classify  new  information. 
Information  may  be  classified  Top  Secret  only  by  officials 
designated  in  writing.  Information  may  be  classified  Secret 
only  by  officials  wno  nave  Top  Secret  classifications  or  oy 
officials  designated  in  writing.  Information  may  be 
classified  Confidential  only  cy  officials  witn  Top  Secret  or 
Secret  classifications  or  by  officials  designated  in 
writing. 

In  order  to  obtain  access  to  classified  material, 
the  order  indicates  that  a  person  must  be  determined 
trustworthy  (granted  clearance)  and  tnat  access  is  necessary 


in  the  performance  of  tnat 

persons ' 

duties  ("need 

to  snow" 

). 

This  is 

a  discretionary 

poll cy , 

nowever,  and 

will 

be 

discussed 

no  furtner.  All  classified  material 

shall 

be 
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appropriated  and  conspicuously  marlred  to  put  all  persons  on 
clear  notice  tnat  tne  Information  is  classified.  Classified 


material  no  longer  needed  snail  be  promptly  destroyed 


Figure  12.  Basic  National  Security  Policy. 

2.  National  Integrity  Policy 

Ttte  dual  of  tne  National  Security  Policy  is  tne 
National  Integrity  Policy  [21J.  Motivation  for  sucn  a  policy 
comes  from  tne  desire  to  pronibit  subversion,  l.e.,  tne 
unauthorized  modification  of  Information.  Tne  following  set 
of  integrity  classes  nave  been  establlsned  for  tnis  policy 
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[2lj  .  Implicit  with  this  classification  scheme,  one  also  nas 
information  that  is  not  classified. 

TOP  SECRET  :  That  information  or  material  the 
unauthorized  modification  of  which  could 
reasonably  be  expected  to  cause  exceptionally 
grave  damage  to  the  national  security. 

SECRET  :  That  information  or  material  the 
unautnorized  modification  of  vnicn  could 
reasonably  be  expected  to  cause  serious  damage  to 
the  national  security. 

CONFIDENTIAL  :  That  information  or  material  tne 
unauthorized  modification  of  which  could 
reasonably  be  expected  to  cause  damage  to  tne 
national  security. 

One  further  point  concerning  Integrity  Policies  must 
be  empnasized  before  one  proceeds.  Generally  speaxing,  one 
has  a  sood  notion  of  how  to  classify  information  with 
respect  to  security  and  unautnorized  observation,  but 
classification  with  respect  to  integrity  is  not  so  easily 
identified.  In  some  sense,  integrity  classification  must  ee 
determined  by  the  object's  potential  importance  rather  tnan 
by  its  current  importance.  Consider,  for  example,  a  simple 
sine  function  tucXed  away  in  some  obscure  user  library.  If 
tnis  function  is  used  to  compute  trajectories  for  an 
inter-continental  ballistic  missile,  it  becomes  TOP  SECRET 
witn  respect  to  tne  National  Integrity  Policy,  wnereas,  it 
is  clearly  UNCLASSIFIED  with  respect  to  the  National 
Security  Policy.  Classification  of  information  witn  respect 
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to  integrity  will  eenerally  require  considerable  planning 
and  foresight  [2J . 


3.  Privacj 


Tne  Code  of  Fair  Information  Practices  and  tne 


Privacy  Act  of  1974  establisned  the  following  basic  policy 
for  the  Federal  Government  [26 J . 


(1)  There  must  be  no  personal  data  record-Keepin* 
systems  wnose  very  existence  is  secret. 

(2)  There  must  be  a  way  for  an  Individual  to  find 
out  what  information  about  him  is  on  record  and 
how  it  is  used. 

(3)  There  must  be  a  way  for  an  individual  to 
correct  or  ammenl  a  record  of  identifiable 
information  about  him. 

(4)  There  must  be  a  way  for  an  individual  to 
prevent  information  about  him  that  obtained  for 
one  purpose,  from  being  used  or  made  available  for 
other  purposes  witnout  nis  consent. 

(5)  Any  organization  creatine,  maintaining,  usine 
or  disseminating  records  of  identifiable  personal 
data  must  guarantee  tne  reliability  of  the  data 
for  their  intended  use  and  must  tajce  precautions 
to  prevent  misuse. 


All  information  systems  (including  computer  systems) 
used  by  tne  Federal  Government  are  subject  to  these  privacy 
requirements  and  must  incorporate  a  corresponding  set  of 
safeguards  when  tne  process  "Privacy  Information." 

Tnese  three  policies  are  applicable  to  many  Federal 
data  processing  applications.  Numerous  otner 
non-discreti onary  policies  exist  botn  in  tne  Federal,  State, 
and  Local  governments  and  in  private  industry.  It  nas  been 
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shown  in  this  section 
descibed  using  access 
graphs  as  described  in 
so  described,  a  precise 
considered. 


that  tnese  policies  may  be  precisely 
relation  grapns  or  linear  access 
this  section.  Once  a  policy  has  been 
evaluation  of  its  enforcement  may  te 
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III.  A  FORMALIZED  NOTION  OF  DOMAINS 


The  notion  of  a  "domain”  has  not  been  clearly  presented 
In  a  precise  manner,  nor  properly  defined.  Dennis  f 5 J 
introduced  the  concept  by  describing  a  "sphere  of 

protection."  Lampson  [6J  refined  tne  concept,  coining  the 
term  "domain",  and  defined  a  domain  as  a  eroup  of 

capabilities  or  protected  names.  Scnroeder  [9J  maintains 
Lampson's  definition,  but  provides  an  in-depth  discussion 
and  presentation  of  nls  ideas,  many  of  vnicn  were 
Instrumental  In  the  formulation  of  tns  concepts  presented 
nere.  Scnroeder  further  refined  the  ideas  from  nis  tnesis, 

and  together  with  Saltzer  [14J,  defines  a  domain  as  a  set  of 

objects  that  may  be  accessed  by  a  principal.  This  definition 
Is  the  most  commonly  accepted  today,  but  for  any  rigorous 
discussion  of  domains,  or  for  presentation  of  a  concept  such 
as  tne  assignment  tecnnlque,  a  more  formalized  definition  is 
needed . 

An  access  domain  A*  is  a  tuple,  (a^,  a2,  ....  a^ ,  .... 

an  ),  where  n  is  the  number  of  primitive  ( non-decomposable ) 

access  modes  in  the  system  and  ai  is  tne  set  of  an  objects, 

{  0,,  0„,  ...,  0  .  ,  ...,  0  J,  accessible  by  the  "i"tn 
1  2  j  m 

access  mode.  An  (access  mode)-domain  is  the  set  of  objects 
that  a  process  executing  in  that  domain  (l.e.,  a  subject) 


has  the  right,  or  privilege  of,  accessing  according  to  the 
rules  for  tnat  particular  access  mode. 

Consider  the  following  examples  of  domains: 

A^ :  (Observe(O)  :[A} ,  Modify (M) : {B}  ) 

A3*  ( 0: {A , B, C} ,  M:{ A, B,C)  ) 

A3:  (0:{A,C,D>,  M:{^}  ) 

A4:  (0:{A,B,C,DJ,  M : { A, B, C ,D}  ) 

The  observe-domain  of  A^  (denoted  as  OA^  )  is  object  A 
and  the  modify-domain  MA^  is  object  B.  Note  that  simply 
referring  to  A^  as  containing  objects  A  and  B  would  not 
provide  much  insight  into  the  true  nature  of  this  domain 
[14] . 

The  notion  of  "dominance”  with  respect  to  domains  was 
introduced  by  Crohn  [16]  .  These  notions  are  refined  from 
security  dominance  and  integrity  dominance  to  a  more  general 
definition  of  dominance. 

A  domain,  A^  dominates  ( )  Aj  if  and  only  if  (iff) 
for  each  access  mode  "a”,  aAj  <Z.  aA^.  This  is 

particularly  useful  wnen  discussing  tne  relationship 
between  domains  wltn  respect  to  access  modes.  One  can  say 
tnat  for  some  a]c,  a^  ak a ,  iff  a^  £  a^. 

Continuing  with  the  previous  group  of  example  domains, 
oa4  oa3.  0a3  °<  OA^  ma4  oc  ma3,  max  ma3,  a4 
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Similar  examples 


a*  A3  but  a3  does  not  dominate  a^ • 
can  be  formulated  by  the  reader. 

Dominance  domains  may  be  labeled  for  convenience.  In  tne 
Multlcs  system,  for  example,  the  dominance  domains 
established  by  tne  ring  mecnanlsm  were  Known  as  rings  and 
were  labeled  by  ring  numbers.  Scnroeder's  protection 
mechanism  also  uses  numbers  as  labels  for  dominance  domains 
[8J. 

The  systems  protection  mechanisms  establish  a  set  of 
dominance  domains  that  can  be  used  for  evaluating  tne 
protection  mechanisms.  These  dominance  domains  dominate  all 
domains  that  currently  exist  or  may  exist  within  the  system. 
If  one  can  establish  the  set  of  dominance  domains  for  the 
system  and  one  can  snow  that  the  policy  holds  for  tnese 
domains,  then  one  can  show  that  the  policy  holds  for  all 
domains . 

A  mechanism,  In  the  most  general  sense,  is  sometning 
that  prevents  the  occurrence  of  certain  sequences  of 
operations  [15].  A  protection  mechanism,  or  an  access 
control  mechanism,  can  oe  defined  as  something  that  prevents 
the  unauthorized  access  of  Information.  In  the  broadest 
sense,  one  may  include  as  protection  mechanisms  sucn  things 
as  walls,  patrol  dogs  and  cypher  loclrs.  More  specifically, 
tnough,  a  protection  mechanism  for  a  computer  operating 
system  Is  a  procedure.  Implemented  In  software,  firmware  (if 
there  Is  such  a  thing)  or  hardware,  that  prohibits  tne 


access  of  objects  within  a  system  such  that  the  domain  of 
any  process  is  dominated  by  some  particular  dominance  domain 
Inherently  established  by  the  protection  mechanisms. 


Figure  13.  Multics  Rings 

The  Multics  Ring  Mechanism  [2£J  Is  a  well  Known 
protection  mechanism  tnat  provides  an  excellent  example  for 
the  discussion  of  dominance  domains.  One  may  tain*  of  these 
dominance  domains  as  a  set  of  concentric  rings  (Illustrated 
in  figure  13),  each  numbered  in  Increasing  order  from  toe 
inner-most  ring  or  Kernel.  The  Kernel  is  conventionally 
assigned  ring  number  zero. 


The  Multics  Rin*  Mechanism  determines  the  authorized 


access  of  a  subject  by  means  of  tne  current  ring  number  (r) 
that  specifies  the  dominance  domain.  Discrimination  amon* 
objects  is  by  means  of  a  ring  bracket.  Tne  ring  bracket  is  a 
three-tuple  (Rl,  R2,  R3)  where  R1 ,  R2,  and  R3  are  ring 
numbers  and  Rl  must  be  numerically  less  tnan  or  equal  to  R2 
which  is  less  than  or  equal  to  R3.  Access  is  characterized 
by  tne  rules  illustrated  in  tne  linear  access  grapn  snown  in 
figure  14. 

Execute  Call  (as  a  gate) 


R31 


Figure  14.  Multics  Ring  Mecnanism  Linear  Access  Graph 

Consider  now  a  system  that  uses  tne  Multics  Ring 
Mechanism  and  discriminates  amone  four  distinct  hierarchical 
rings  (0  tnru  3).  One  may  think  of  tne  domains  established 
by  this  system  as  AQ  ,  A.,  A2 ,  and  A3  .  Consider  tne 

rules  of  access  established  in  figure  14,  vnere  MAQ  is  tie 
objects  that  may  be  modified  by  a  process  in  domain  <£ .  Then 
MA0  «<•  ma^^  od  ma2  ma3  .  Likewise,  0aq  «c  0&1 

0A2  0A3 .  No  such  relationship  exists  for  execute  or 

call  (as  a  gate).  EA3  does  not  I&2,  as  may  2  for 
some  object  X,  In  which  case  X  €.  EA2  but  X  EA3 . 

Likewise  CA3  (the  Call  (as  a  gate)  domain  of  A3  )  does  not 
CA2  as  R3  may  be  zero,  for  example,  in  which  case,  Rl 
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and  R2  must  be  zero,  ruling  out  tne  possibility  of 
successive  dominance  call-domains. 

Note  taat  a  single  object  may  be  a  member  of  several 
dominance  domains.  Some  object  X,  with  rlne  bracsets  (2,2,3), 
Is  a  member  of  0a0  ,  0Alt  0a2.  Ma0  ,  EA0  .  SA1  ,  Ea2 ,  ana 
CA^.  Therefore,  X  £  Aq,  A^ ,  a2  and  a^.  Tills  concept 
can  be  confusing  as  an  object  is  a  distinct  entity  generally 
represented  by  a  slnele  imaee. 

Tnis  section  nas  established  a  formal  definition  of 
domains  suitable  for  discussion  of  complex  domain  related 
Issues.  Tne  notion  of  dominance  domains  was  Introduced  and 
their  relationship  to  protection  mecnanlsms  established.  The 
Multlcs  Ring  Mecnanlsm  provided  an  example  of  tne  means  by 
which  one  may  evaluate  tne  dominance  domains  established  by 
a  protection  mechanism.  Having  formulaized  these  concepts, 
the  relationship  between  policy  and  mechanism  may  now  be 
Investigated  In  an  organized  manner. 
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IV.  THE  ASSIGNMENT  TECHNIQUE 


This  section  introduces  a  mathematical  framework  for 
evaluating  toe  relationship  between  non-dlscretlonary 
security  policies  and  protection  mecnanisms .  An  evaluation 
approach,  termed  "Tne  Assignment  Technique",  utilizes  tne 
entity  -  relationship  model  in  establishing  an  assignment 
between  the  security  classes  of  information  estabiisnea  by 
the  policy  constraints,  and  dominance  domains,  established 
by  tne  properties  of  tne  mechanism.  Tne  assignment  technique 
provides  a  theoretical  foundation  for  assessing  the 
sufficiency  of  an  access  control  mecnanism  with  respect  to  a 
well  formed  protection  policy. 

This  section  begins  with  a  general  discussion  of  tne 
meaning  of  "assignment".  It  then  proceeds  to  introduce  the 
assignment  tecnnique  in  a  general  form.  Tne  section 
concludes  with  a  simplification  of  tne  assignment  technique 
made  possible  by  tne  lattice  nature  of  non-discretionary 
security  policies. 

A.  ASSIGNMENT 

Assignment  is  the  establishment  of  a  relationsnlp 
between  two  entitles  such  that  the  first  entity  is  "assigned 
to"  tne  second  entity.  Matnematl caliy ,  tne  term  assignment 
is  not  significant.  One  could  easily  have  said  that  entity  1 
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is  related  to  entity  2.  Intuitively,  however,  assignment  Is 
associated  witn  tne  connotation  "to  fix  autnorltati veiy”. 
This  precisely  describes  the  manner  in  which  this 
relationship  is  establisned. 

Assignment  may  be  denoted  oy  a  graph  from  the  first 
entity  to  the  second  as  follows: 

- > 

is  assigned  to" 

It  is  important  to  recognize  that  assignment  does  not 
alter  either  entity.  Assignment  is  merely  the  act  of 
associating  an  entity  or  set  of  entitles  with  some  other 
entity  or  set  of  entities. 

Anotner  way  to  describe  assignment  is  in  terms  of  tne 
act  of  forming  a  tuple  (entity  1,  entity  2).  Additionally, 
one  may  thint  of  assignment  as  a  function  (l.e.,  "is 
assigned  to")  where  the  assignment  process  establishes  a 
mapping  between  two  otherwise  disjoint  entities.  Regardless 
of  the  context  of  discussion  or  the  symbolism  used,  one  may 
simply  tnint  of  assignment  as  tne  act  of  associating  one 
thing  with  another. 

B.  THE  TECHNIQUE 


The  essence  of  the  assignment  technique  is  relatively 
simple.  First  of  all,  consider  the  nature  of  a  lattice 
security  policy.  Such  a  policy  partitions  tne  objects  of  a 


system  into  a  lattice  of  equivalence  classes  labeled  by  tne 
access  classes  as  discussed  in  section  II.  Eacn  equivalence 
class  can  be  thought  of  as  an  entity  that  may  be  subject  to 
assignment. 

Then  consider  a  mechanism,  which  establishes  a  lattice 
of  dominance  domains  as  discussed  in  section  III.  Each  of 
these  domains  can  also  be  thought  of  as  an  entity  that  may 
be  subject  to  assignment. 

Since  an  assignment  can  be  established  between  any  two 
entities,  one  can  maxe  an  assignment  between  the  equivalence 
classes  establisned  by  a  lattice  security  policy  aud  tne 
dominance  domains  established  by  some  protection  mechanism. 
One  may  men  validate  that  (for  tnis  assignment^  tne 
mechanism  is  sufficient  to  support  this  policy.  This 
validation  is  made  by  examining  tne  set  of  access  relations 
that  the  mechanism  permits,  and  testing  for  possible 
violations  of  the  policy. 

Tne  assignment  technique  can  be  described  more 
systematically  as  follows: 

1)  Determine  if  tne  policy  is  a  lattice 
policy.  If  not,  the  assignment  technique  does  not 
apply. 

2)  Establlsn  tne  set  of  equivalence  classes, 

{  ej_ ,  e2  »  •  •  • »  ej^ ,  • . . ,  ep  } ,  that  are 

associated  with  each  access  class. 

3)  Determine  tne  set  of  dominance  domains, 

{  hi  ,  ,  *  •  • ,  •  •  •  • »  }»  that  are 

established  by  tne  systems  protection  mecnanlsm. 
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4)  Make  an  assignment  from  ek  to  A  . 

5)  For  tnis  assignment,  examine  tne  access 
relations  permitted  by  tne  mecnanism,  testing  for 
possible  violations  of  tne  policy. 

6)  If  no  violations  can  exist,  tne  mecnanism 
Is  sufficient  for  tne  policy  in  question. 

Step  4  of  tne  assignment  metnod  allows  for  considerable 
flexibility  In  tne  manner  In  wnicn  assignments  can  be  made. 
Any  possible  mapping  from  equivalence  classes  to  dominance 
domains  may  be  considered.  Tnls  flexibility,  nowever, 
Implies  considerable  effort  In  order  to  determine  tnat  a 
mechanism  Is  not  sufficient  for  a  given  policy.  Fortunately, 
in  tnis  tnesls  one  Is  specifically  dealing  witn  tne  security 
issue.  Because  of  tnis,  several  refinements  can  be  made  tnat 
greatly  simplify  this  task. 

C.  SIMPLE  ASSIGNMENT 

The  question  of  how  one  chooses  to  make  assignments 
(i.e.,  tne  cnolce  of  an  assignment  scneme)  may  seem 
relatively  complex  upon  first  inspection  of  the  assignment 
technique.  Tne  problem,  nowever,  becomes  almost  trivial  wnen 
dealing  with  simple  non-discretionary  security  policies  as 
is  hown  by  the  following  arguments. 

First  of  ail,  it  Is  clear  tnat  tne  equivalence  classes 
(established  by  the  policy  constraints)  represent  distinct 
access  classes.  It  is  also  clear  tnat  tne  dominance  domains 
represent  distinct  sets  of  objects.  If  more  than  one 
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equivalence  class  were  assigned  to  tne  same  dominance 
domain,  taen  taere  is  notning  in  tne  mecnanlsm  to 
distinguisn  between  tne  access  classes.  Jut  tne  policy  does 
draw  some  distinctions  between  tnese  access  classes  (l.e., 
tnat  distinction  establlsnel  by  tne  definition  of  tne  access 
classes),  so  it  would  not  be  possible  to  enforce  tne  policy 
with  such  an  assignment.  All  such  assignments  can  be 
eliminated,  a  priori. 

On  the  other  hand,  If  one  equivalence  class  was  assigned 
to  more  tnan  one  dominance  domain,  tnen  some  distinction  is 
being  made  for  an  access  class  that  Is  not  specified  in  tne 
policy.  In  some  cases,  one  may  find  tnat  sucn  distinctions 
produce  violations  of  the  policy.  Altnoueh  other  cases  may 
not  do  so,  tnese  eitra  dominance  domains  are  unnecessary, 
providing  distinctions  which  have  no  sienif lcance . 
Therefore,  tne  number  of  dominance  domains  of  interest 
established  by  tne  mechanisms  should  be  equal  to  the  number 
of  access  classes  established  by  the  policies. 

One  may  attempt  to  argue  tnat  tnere  may  exist  dominance 
domains  that  do  not  receive  an  assignment.  Such  domains, 
however,  must  be  eltner  empty  or  in  no  way  allow  for  an 
exception  to  the  enforcement  of  tne  policy.  As  sucn,  one 
need  not  be  concerned  with  the  question  of  tneir  existence. 
One  need  only  concentrate  on  the  dominance  domains  for  which 
the  assignment  was  made. 
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Considering  assignment  as  a  function,  it  has  been 
established  tnat  tne  only  assignment  scnemes  of  interest  are 
bijective  (i.e.,  a  one  to  one  and  onto  relationship  between 
the  access  classes  and  the  dominance  domains  122]).  This 
provides  some  Improvement,  but  one  is  still  faced  with  at 
least  pf  possible  assignment  schemes  to  evaluate  (where  p  is 
tne  number  of  access  classes  established  oy  tne  policy). 

One  may  gain  considerable  improvement,  however,  by  only 
attempting  to  validate  one  simple  mechanism  witn  respect  to 
one  simple  policy  at  a  time.  Furthermore,  the  Knowledge  of 
partially  ordered  sets  may  be  used  to  mane  our  assignments 
in  a  very  selective  manner.  This  is  done  by  first  requiring 
tnat  tne  lattice  for  tne  dominance  domains  of  interest  tnat 
one  considers  for  assignment,  be  an  isomorphic  image  of  that 
for  the  equivalence  classes.  This  may  not  be  a  necessary 
condition,  however,  it  in  no  way  invalidates  the  results 
shown  (as  one  would  otherwise  be  deallne  with  an  isomorphic 
sub-image  established  by  tne  mecnanlsm),  and  it  is  nelpful 
in  this  discussion. 

ithen  considering  the  isomorphic  image  of  a  lattice,  the 
problem  of  assignment  is  reduced  to  a  question  of 
orientation.  One  may  either  assign  the  greatest  lower  bound 
of  tne  lattice  to  tne  greatest  lower  bound  of  tne  image,  or 
assign  the  greatest  lower  bound  of  the  lattice  to  the  least 
upper  bound  of  tne  image,  k ay  other  assignment  would  not  te 
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acceptable  as  it  would  violate  the  ordering  of  the  lattice 
or  of  the  image. 

So  for  a  system  of  'V  isomorphic  images  of  the  lattice 
established  by  the  policy,  one  need  only  consider  at  most, 
21c  assignment  schemes.  In  most  practical  cases,  when  tne 
mechanism  establishes  isomorphic  images  which  are  identical 
in  their  access  control  properties  because  of  tne  uniform 
nature  of  the  mechanism,  one  need  consider  only  2  assignment 
schemes. 

The  Simple  Assignment  Theorem  :  For  any  simple 
lattice  policy  and  an  isomorphic  image  established 
by  some  protection  mechanism,  no  more  than  two 
assignment  schemes  are  necessary  to  validate  the 
sufficiency  of  tne  mechanism  to  enforce  tne 
policy. 

Proof  Sfcetcn  :  Tne  proof  proceeds  by  snowing 
that  two  assignment  schemes  are  reasonable  and 
that  all  others  are  not. 

1)  Mage  assignments  starting  from  tne  greatest 
lower  bound  (GLB)  of  the  lattice  to  the  GLB  of  the 
isomorpnic  image.  Then  assign  every  reachable 
access  class  (l.e.,  tnose  of  unit  distance)  to  a 
reachable  dominance  domain  in  the  isomorphic 
image.  Next  assign  all  reachable  access  classes 
from  those  Just  assigned  (which  are  not  already 
assigned)  to  a  corresponding  reachable  dominance 
domain.  Proceed  in  this  fashion  until  all  access 
classes  have  been  assigned.  An  assignment  sucn  as 
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tnat  snown  in  figure  15  will  result,  wnere  tne  L'JB 
is  assigned  to  toe  LUB,  A  is  assiened  to  A',  E  is 
assigned  to  B',  and  so  forta. 

This  assignment  is  a  valid  assignment  in  tnai 
an  assignment  can  be  made  from  tne  access  classes 
to  tne  dominance  domains  tnat  is  not  lnnerently 
incorrect  and  tnerefore  is  worthy  or 
consideration.  Tnis  does  not  mean  tnat  tne 
protection  mechanism  is  sufficient  for  tnis 
assignment.  It  only  implies  tnat  sucn  an 
assignment  scneme  is  wortny  of  consideration. 


ACCESS  CLASSES  DOMINANCE  DOMAINS 


2)  Now  consider  a  second  practical  assignment. 
This  assignment  starts  from  tne  OLE  of  tne  lattice 
malting  an  assignment  to  tne  LOB  of  tne  isomorpnic 
image  and  proceeding  as  in  tne  first  assignment 
scneme.  Tne  resulting  assignment  is  illustrated  in 
figure  16  wnere  tne  LOB  is  assigned  to  tne  GIB,  A 
is  assiened  to  D',  D  is  assigned  to  A',  and  so 
fortn. 
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ACCESS  CLASSES  DOMINANCE  DOMAINS 


It  is  important  to  note  tnat  if  tne  lattice 
structure  is  not  uniform,  i.e.,  inverting  tne 
lattice  would  not  pronuce  tne  same  image,  then 
only  one  of  tne  two  aforementioned  assignment 
scnemes  will  ce  successful.  Tnis  limitation  occurs 
because  one  encounters  some  set  of  reachable 
access  classes  during  assignment  tnat  nave  no 
corresponding  reachable  dominance  domains. 
However,  for  any  lattice  structure,  uniform  or 
otherwise,  there  will  always  be  one  assignment 
scneme  to  an  isomorpnic  image  tnat  is  vortnv  of 
consideration.  This  leads  us  to  tne  following 
corollary. 


porollarv  1.  For  any  lattice  policy  ana 
an  isomorpnic  image  established  by  some 
protection  mechanism,  there  exists  at 
least  one  valid  assignment  scneme. 

Proof  Sfcetch  (Corollary  1)  :  The  proof 
is  trivial  from tne definition  of  an 
isomorphic  image.  If  a  lattice  has  an 
isomorpnic  image,  tnen  at  least  one 
ordering  of  nodes  in  tne  image  is 
identical  to  the  ordering  of  nodes  in 
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tne  lattice,  therefore,  this  ordering  is 
wortny  of  consideration. 

3)  Now  consider  the  assignment  of  the  GLB 


access  class  to  any  dominance  domain  otner  tnan 
tfte  LUB  or  tfte  GLB.  If  tnis  is  done,  then  some 
otner  access  class  must  be  assigned  to  tne  BUB 
dominance  domain  and  still  anotner  access  class 
must  be  assigned  to  tne  GLB  dominance  domain.  But 
if  the  isomorphic  image  is  to  maintain  the 
ordering  of  tne  access  classes,  tnen  tnere  exists 
some  ordering  wnicn  is  not  valid  oecause  either 
the  GLB  or  the  LDB  of  the  isomorphic  image  is  to 
be  considered  less  than  the  GLB  (in  the  image) 
which  must  be  tne  least  element  (viz.,  least 
sensitive)  according  to  the  policy.  Therefore, 
such  an  assignment  can  never  be  valid.  Tnus  one  is 
reduced  to  the  task  of  considering  only  two 
possible  assignment  schemes  of  interest. 

One  can  further  simplify  the  assignment  technique  by 
combining  steps  4  and  b.  This  is  accomplished  by  malting,  an 
assignment  and  examining  all  access  relations  producible 
immediantly.  If  an  access  relation  is  not  valid,  one  can 
quickly  determine  that  tne  assignment  scheme  in  use  will  not 
validate  the  sufficiency  of  the  mechanism. 

When  one  is  dealing  with  more  complex  lattice 
structures,  one  is  faced  with  two  alternatives.  One  can 
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either  validate  tne  sufficiency  of  tne  mecnanism  for  eacn 


sub-policy,  establisning  tnat  if  eacn  sub-policy  is 
enforced,  then  the  complex  policy  is  enforced,  or  one  may 
choose  to  validate  tne  complex  policy  by  a  straight  forward 
assignment.  rfhen  using  a  straight  forward  assignment 
approacn,  one  must  remember  that  tne  Simple  Assignment 
Theorem  may  not  apply.  This  is  of  no  particular  consequence 
when  validating  a  protection  mechanism  designed  for  a 
particular  policy  where  the  assignments  are  cnosen 
carefully.  However,  establishing  the  insufficiency  of  an 
arbitrary  mecnanism  may  require  considerably  more  effort. 

The  basic  principles  associated  with  the  assignment 
technique  nave  been  presented  in  this  section.  One  may  now 
consider  some  simple  examples  tnat  illustrate  tne  usefulness 
of  assignment. 


V.  MECHANISM  SUFFICIENCY  VALIDATION  BY  ASSIGNMENT 


One  of  the  most  practical  uses  for  tne  assignment 
tecnnique  is  sufficiency  validation  of  protection  mecnanisms 
(i.e.t  validation  of  tneir  anility  to  enforce  security 
policies)  [4J  .  In  contrast  to  other  validation  techniques 
[11,17],  tne  assignment  tecnnique  presents  a  method  whose 
mathematical  model  (i.e.,  the  entity-relationship  model)  is 
nased  upon  the  nature  of  security  itself,  rather  tnan  other 
methods  whica  adapt  the  nature  of  security  into  a  form 
designed  to  mesa  wltn  tne  prescribed  format  of  some  well 
Known  mathematical  model.  Tnis  section  discusses  mechanism 
sufficiency  validation  by  assignment  for  several  well  Known 
linear  non-discretionary  security  policies.  Although  the 
principles  discussed  in  this  section  apply  for  all  lattice 
security  policies,  only  linear  lattice  policies  are 
discussed  in  tnis  section  as  tney  provide  a  sufficient 
foundation  for  tne  discussion  of  any  lattice  policy  and  are 
more  clearly  illustrated  in  tnis  context. 

A.  MOLTICS  RING  MECHANISM  ASSIGNMENTS 

Tne  question  of  the  sufficiency  of  tne  Multlcs  Ring 
Mechanism  for  enforcement  of  the  basic  National  Security 
policy  was  tne  initial  problem  tnat  prompted  tne  current 
research  effort  and  led  to  the  formulation  of  tne  assignment 
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technique.  It  Is  appropriate  then,  that  this  analysis  be 
presented  as  an  Introductory  application  of  simple 
assignment. 

1.  Compromise  Policy 

As  stated  previously  In  section  II,  the  basic 
National  Security  policy  is  a  simple  lattice  security 
policy.  Figure  13  Illustrates  tnls  policy. 

The  dominance  domains  of  the  Multlcs  Ring  Mechanism 
are  most  frequently  shown  as  concentric  rings  numbered  in 
Increasing  integer  order  from  the  Innermost  ring  or  the 
kernel.  The  security  kernel  Is  generally  assigned  ring 
number  0.  For  simplicity,  only  a  system  with  rings  0  thru  3 
Is  shown  In  tnls  analysis.  Assignment  to  other  ring  numbers 
(such  as  2  thru  5  or  4  thru  ?)  will  produce  similar  results 
because  of  the  uniform  nature  of  the  Multlcs  Ring  Mechanism. 

Consider  as  the  first  assignment  scheme,  the 
assignment  of  the  TOP  SECRET  access  class  (the  least  upper 
bound  of  the  policy)  to  ring  0  (the  least  upper  bound  of  tne 
dominance  domains).  The  assignment  produced  is  Illustrated 
in  figure  17. 

Next,  according  the  assignment  technique,  one  must 
examine  the  access  relations  permitted  by  the  mechanism  and 
test  for  possible  violations  of  the  policy.  In  order  to  do 
so,  one  must  first  examine  the  nature  of  the  Multlcs  Ring 
Mechanism  more  closely.  A  detailed  discussion  Is  given  by 
Schroeder  [27] ,  however,  a  simple  explanation  of  the 


pertinent  details  as  used  in  tnis  discussion  is  provided  for 
those  readers  not  otherwise  familiar  witn  Multics. 


f  Ring  0  ) 

Ring  1 


Ring  2 


Ring  3 


Figure  17.  Basic  National  Security  Assignment  1. 


T&e  Multics  Ring  Mecnanism  determines  tne  authorized 
access  of  a  process  by  means  of  tne  current  ring  number  (r). 
Tnus  a  process  wnich  is  executing  in  ring  number  l  would 
need  to  be  cleared  for  at  least  SECRET  information  according 
to  this  assignment  scneme. 

The  Multics  Ring  Mecnanism  discriminates  among 
objects  by  means  of  a  ring  bracket.  The  ring  bracket  is  a 
three-tuple  (  Rl,  R2,  R3)  wnere  Rl,  R2  and  R3  are  ring 
numbers  and  Rl  R2  j£.R3.  Access  to  objects  is  restricted 
such  tnat  tne  current  ring  of  execution  must  be  less  than  or 
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equal  to  R2  to  observe  Information  and  less  than  or  equal  to 
R1  to  modify  Information.  Figure  19  snows  cnaracterlstlcs  of 
the  ring  brackets  both  In  terms  of  the  access  modes  used  In 
tnis  discussion  and  tne  access  modes  used  in  Muitics. 

_ _ Execute  (Observe) 

|  .Ring  0 _ _  rRli  R2p 

1  Write  (Modify)  _ 

"  Read  (Observe ) 

Figure  18.  Multics  Ring  Mechanism. 

Continuing  now  with  tne  examination  of  access 
relations,  consider  an  object  that  is  classified  as  SECRET. 
Sucn  an  object  must  be  assigned  a  ring  bracket  sucn  tnat  It 
may  be  observed  by  processes  In  ring  0  and  ring  1  only.  R2 
must  tnerefore  be  1.  Tnls  presents  a  problem.  No  matter  wnat 
value  one  may  choose  for  Rl,  a  contradiction  occurs.  If  R1 
is  0  or  1  tnen  TOP  SECRET  processes  may  modify  SECRET  files 
violating  the  Confinement  Property.  If  Rl  is  greater  than  1, 
tne  restrictions  of  tne  ring  mecnanism  would  be  violated 
(viz.,  Rl  >  R2).  Therefore,  one  can  conclude  that  this 
assignment  is  not  acceptable. 

Consider  now  tne  only  otner  potential  assignment 
scheme  where  tne  greatest  lower  bound  of  the  lattice  (the 
UNCLASSIFIED  access  class)  is  assigned  to  ring  0.  Tnls 
assignment  is  illustrated  in  figure  19. 

One  may  now  attempt  to  assign  ring  bracsets  to  an 
object  classified  SECRET.  A  problem  occurs  immediately.  One 
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wants  processes  executing  in  ring  2  to  observe  SECRET 
objects,  but  tnen  a  process  in  rin*  P  (i.e.,  an  UNCLASSIFIED 
process),  will  also  be  able  to  observe  tne  object.  Tne 
Simple  Security  Condition  cannot  oe  enforced  witn  tnis 
assignment,  so  tne  assignment  scaeme  Is  not  feasible. 


Fleure  19.  Basic  National  Security  Assignment  2. 


Since  neither  of  tnese  assignments  are  acceptable, 
and  snifting  tne  ring  assignments  numerically  would  yield 
similar  results,  one  can  see  that  no  assignment  will  be 
acceptable.  Therefore,  the  Multics  Ring  Mecnanism  is  not 
sufficient  to  enforce  tne  basic  National  Security  policy  for 
compromise. 


2.  Subversion  Pollc 


Tne  basic  National  Integrity  policy  (.21J  is  tne  dual 
of  tne  basic  National  Security  policy.  Wnereas  tne  security 
policy  is  concerned  vitn  tne  unautnorizea  .  observation  of 
information  or  compromise,  tne  integrity  policy  is  concerned 
with  the  unauthorized  modification  of  information  or 
subversion  as  discussed  in  section  II. 

Consider  first  tne  assignment  of  tne  TOP  SECRET 
access  class  (the  least  upper  bound  for  tne  lattice 
established  by  tne  policy)  to  Ring  0  (tne  least  upper  bound 
for  the  dominance  domains  established  by  tne  mechanism).  The 
assignment  produced  is  snovn  in  figure  20. 


Fieure  20.  Basic  National  Integrity  Assignment  1. 
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One  may  now  examine  toe  access  relations  vnicn  tne 
'lultlcs  Ring  Mecnanism  will  permit  (as  shown  in  figure  19) 
and  test  for  possible  violations  of  tne  policy.  In  so  doing, 
one  encounters  violations  almost  immediently.  One  wishes  to 
nave  a  process  executing  in  Ring  1  (l.e.,  a  SECRET  process), 
for  example,  to  be  able  to  ooserve  TOP  SECRET  objects  In 
Ring  a,  but  tne  mecnanism  pronlbits  tnis  observation. 
Additionally,  a  SECRET  process  could  observe  CONFIDENTIAL 
information  violating  tne  Integrity  Confinement  Property. 
Tnerefore,  tnis  assignment  scheme  is  not  feasible. 


Figure  21.  Basic  National  Integrity  Assignment  2. 

Consider  now  tne  only  other  potential  assignment 
scneme  (viz.,  according  to  tne  Simple  Assignment  Tneorem) 
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wnere  tne  TOP  SECRET  equivalence  class  is  assigned  to  Ring 
3.  This  assignment  scheme  is  illustrated  in  figure  21 . 

Examining  tnis  assignment,  consider  an  object  that 
is  classified  as  SECRET.  Sucn  an  object  must  be  assigned  a 
ring  bracket  sucn  tnat  it  may  be  observed  by  processes  in 
Ring  0,  Ring  1  and  Ring  2  only,  so  R2  must  be  assigned  2. 
Rut  if  R2  is  2,  one  is  faced  witn  a  contradiction  in  the 
assignment  of  Rl.  If  R1  is  assigned  0,  1  or  2,  then  a 
violation  of  tne  Simple  Integrity  Condition  occurs  because 
UNCLASSIFIED  subjects  may  then  modify  SECRET  objects.  If  P.1 
is  assigned  3,  tne  Ring  Bracket  constraints  are  violated. 
Therefore,  tnis  assignment  scheme  fails  to  provide  an 
assignment  where  the  protection  mechanism  can  enforce  tnis 
policy. 

According  to  the  Simple  Assignment  Theorem,  there 
are  no  other  assignments  wortny  of  consideration.  Therefore, 
tne  Multics  Ring  Mechanism  is  not  sufficient  to  enforce  tnis 
policy  either. 

So  far,  it  nas  been  shown  tnat  tne  Multics  Ping 
Mechanism  is  not  sufficient  to  enforce  the  basic  National 
Security  policy  nor  the  basic  National  Integrity  policy. 
However,  a  Multics  Security  Kernel  has  been  designed  [28,29J 
that  is  sufficient  to  support  both  of  these  policies.  This 
may  seem  to  be  a  contradiction  but  it  is  not.  Tne  confusion 
is  dissipated  when  one  asics  tne  question,  "What  form  of 
policy  does  tne  Multics  Ring  Mechanism  support?” 
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3.  Program  Integrity  Policy 

The  general  form  of  Program  Integrity  policies  was 
introduced  in  section  II.  Consider  now  tne  specific  program 
integrity  policy  shown  in  figure  22. 


Fieure  22.  A  Program  Integrity  Policy. 

According  to  tnis  policy,  entities  are  partitioned 
into  one  of  four  access  classes  designated  as  User, 
Supervisor,  Utility  or  Kernel.  The  sensitivity  of  taese 
access  classes  is  specified  as  :  Kernel  >  Supervisor  > 
Utility  >  User.  An  assignment  to  a  Multics  ring  structure  is 
made  as  shown  in  figure  23. 

Recalling  tne  cnaracterlstics  of  ring  brackets  snown 
in  figure  IB,  "Max”  is  designated  as  Ring  0,  the  program 
integrity  access  class  (PI)  as  Rl  and  "Min”  as  R2.  One  may 
note  that  for  this  policy  any  choice  for  R2  greater  than  or 
equal  to  Rl  will  do.  Tnis  analysis,  nowever,  nas  fixed  R2  at 
3. 

According  to  tne  assignment  technique,  one  must  now 
examine  the  access  relations  permitted  by  the  mecnanism  and 
test  for  possible  violations  of  tne  policy.  Unlite  previous 
examples,  where  tne  mechanism  was  obviously  not  sufficient 
to  support  the  policy  (i.e.»  only  a  single  counter-example 


was  necessary)  inis  example  examines  a  policy  tnat  is  likely 
to  be  supported  by  tne  Multics  Ring  Mecnanism.  Knowing  this, 
it  seems  appropriate  to  present  a  more  careful  approacn  for 


tne  validation  of  tnis  assignment. 


Figure  23.  Program  Integrity  Assignment  1. 

For  simplicity,  one  may  refer  to  eQ  (tne  first 
equivalence  class)  as  Kernel  (i.e.,  tne  access  class  tnat 
labels  tnis  equivalence  class  of  subjects  and  objects),  e^ 
as  Supervisor,  ©2  as  Utility  and  e3  as  User.  One  may  also 
refer  to  AQ  (tne  first  dominance  domain  establisned  by  tne 
Multics  Ring  Mecnanism)  as  Ring  0,  as  Ring  1,  a2  as 
Ring  2  and  A3  as  Ring  3.  Tne  assignment  scneme  consists  of 
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assigning  eQ  to  aq  (Kernel  to  Ring  e),  to  &  (Supervisor 
to  Rin*  1),  e2  to  a2  (Utility  to  Rice  2),  e3  to  a3  (User 
to  Ring  3).  One  can  now  evaluate  tee  access  relations 
permitted  by  tae  Multics  Rine  Mechanism  and  compare  them 
with  tae  policy. 

Examining  tae  read  access  first*  one  notes  that  the 
Multics  Ring  Mechanism  provides  no  discrimination  for  read 
access  since  R2  is  fixed  at  3  for  ail  objects.  Thus  subjects 
in  AQt  a1#  A2  or  a3  may  read  objects  in  aq  .  A.*  A2 
and  A3 .  This  corresponds  with  the  access  rights  of  the 
policy  wnicn  states  tnat  subjects  in  eQ  ,  e^^ ,  e2  or  e3  may 
read  objects  in  eQ  ,  e1 ,  e2  and  e3 .  Therefore,  the  mechanism 
is  sufficient  witn  respect  to  tne  read  access  relations. 

Next,  examining  the  modify  access  relations  one  may 
observe  tnat  MAQ  o*  ma^  ma2  e»c.  ma3.  Tnus  a  subject 
in  Aq  may  modify  objects  in  aq ,  A^ ,  A2  or  a3*  Tnis 
corresponds  to  tne  access  rights  of  tne  Kernel  access  class 
in  that  a  subject  in  eQ  may  modify  objects  in  eQ  ,  ,  e2  and 
e3 .  Examining  a1 ,  one  observes  tnat  a  subject  in  a.  may 
modify  objects  in  a.  »  A,  or  a,  but  not  in  &  .  This 
corresponds  with  tne  access  rignts  of  tne  Supervisor  access 
class  in  that  a  subject  in  e^  may  modify  objects  in  e1 ,  e2 
and  e3  but  not  in  eQ .  Examining  a2 ,  one  observes  tnat  a 
subject  in  A2  may  modify  objects  in  a2  or  A3  but  not  in 
Aq  or  A^ .  This  corresponds  with  the  access  rights  of 
the  Utility  access  class  in  tnat  a  subject  in  e2  may  modify 
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Finally 


objects  In  e 2  or  but  not  In  or  . 

examining  a3»  one  observes  tnat  a  subject  in  may  only 
modify  objects  In  A 3<  Tbls  corresponds  with  the  access 

rignts  of  the  User  access  class  in  tnat  a  subject  in  e  3 
may  only  modify  objects  in  e3«  Therefore,  the  Multics 
Ring  Mechanism  is  sufficient  to  support  this  policy  with 
respect  to  modify  access  relations. 

Next,  examining  tne  execute  access  relations  one  may 


observe  that  XA. 


XA.  XAn.  This  is  Just 


tne  inverse  of  the  modify  access  relations.  Tnus  a  subject 
in  A3  may  execute  objects  in  AQ,  A^»  A2  or  a3.  This 
corresponds  to  the  access  rights  of  the  User  access  class  in 


that  a  subject  in  e3  may  execute  objects  in  eQ,  e^  e2  and 
e3.  Examining  A2,  one  observes  that  a  subject  in  A2  may 
execute  objects  in  AQ,  A^  or  A2  but  not  in  a3*  This 
corresponds  with  the  access  rights  of  the  Utility  access- 
class  in  that  a  subject  in  e2  may  execute  objects  in  eQ ,  e^ 
and  e2  but  not  in  e3.  Examining  A.  ,  one  observes  tnat  a 
subject  in  A.^  may  execute  objects  in  AQ  or  A^  cut  not 
in  A2  or  A 3 .  This  corresponds  with  tne  access  rights 
of  the  Supervisor  access  class  in  tnat  a  subject  in  e^  may 
execute  objects  in  eQ  or  ej^  but  not  in  e2  or  e3 . 
Finally,  examining  AQ ,  one  observes  that  a  subject  in  aq 
may  only  execute  objects  in  aq.  This  corresponds  with  the 
access  rights  of  the  Kernel  access  class  in  that  a  subject 
in  eQ  may  only  execute  objects  in  eQ .  Therefore,  the 
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Multics  Ring  Mechanism  is  sufficient  to  support  tnis  policy 
with  respect  to  execute  access  relations. 

So  one  may  observe  tnat  for  eacn  of  tne  access  modes 
(read,  modify  and  execute),  tne  Multics  Ring  Mechanism  is 
sufficient  to  enforce  tne  policy.  Tnerefore,  for  tnis 
assignment,  no  violations  are  possible,  tnus  proving  tnat 
tne  Multics  Ring  Mecnanism  is  sufficient  to  support  tnis 
Program  Integrity  policy. 

B.  OTHER  RING  MECHANISMS 

Tne  Multics  Ring  Mecnanism  is  by  no  means  tne  only  form 
of  Ring  Mecnanism.  By  altering  tne  requirements  of  tne  Ring 
Brackets  and  tne  need  for  a  Gate  Keeper,  one  can  contemplate 
adapting  the  ring  mechanisms  to  meet  other  simple 
hierarchical  policies. 

Consider  using  the  assignment  shown  in  figure  17,  but 
altering  tne  means  of  discrimination  among  objects  such  tnat 
the  Ring  Bracfcet  is  a  singleton  (Rl).  Following  tne  rules 
Shown  in  figure  24,  one  can  adapt  this  ring  mechanism  to 
enforce  the  basic  National  Security  policy. 

_ _ Modify  _ . 

i  KERNEL _ MAX* 

Observe 

Figure  24.  Security  Rings. 
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Similary,  figure  25  snows  tne  rules  necessary  for  tne 
sane  assignment  as  snown  in  figure  20  to  adapt  tnis  ring 
mecaanism  to  meet  tne  basic  National  Integrity  policy. 

. _ Observe _ _ 

i  KERNEL _ Hu, MAX1 

Modify 

Figure  25.  Integrity  Rings. 

To  be  sure,  tnese  brief  suggestions  do  not  completely 
cnaracterize  a  practical  protection  mecaanism.  Bovever,  it 
appears  tnat  ring  mecaanisms  are  adaptable  for  tne 
enforcement  of  various  simple  hierarchical  policies. 

C.  CAPABILITY  MECHANISMS 

Considerable  effort  is  currently  underway  to  provide 
"Provably  Secure  Operating  System"  based  upon  the  capability 
mechanism  [30,31] .  It  is  important  to  examine  wnat  form  of 
protection  capabilities  actually  provide. 

Capability  mecaanisms  primarily  establish  two  dominance 
domains  tnat  are  enforced  by  this  system  nardware  mecaanism. 
One  domain  consists  of  capabilities,  and  the  otner  is 
objects  tnat  are  not  capabilities  sucn  as  segments  and 
directories.  A  process  taAes  no  note  of  tnese  dominance 
domains,  however,  because  all  processes  nave  access  to 
capabilities  as  well  as  other  types  of  objects.  So  with 
respect  to  a  process,  the  capability  mecnanlsm  provides  no 
inherent  partitioning  of  tne  system  entitles  at  all.  In 
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fact,  in  trying  to  determine  tne  structure  of  dominance 
domains  for  non-capability  objects,  or.e  encounters  a 
veritable  "spaghetti  bowl”  of  domains,  devoid  of  any 
inherent,  unifying  structure.  Thus  a  capability  mechanism  is 
of  itself  not  sufficient  for  the  enforcement  of  any 
non-discreti onary  security  policy.  Enforcement  of 
non-discretionary  security  policies  (i.e.,  tnose  of  primary 
interest  to  National  Defense)  must  be  accomplished  by  some 
other  add-on  mechanism. 

Tnis  is  not  to  say  that  a  capability  mechanism  is  not 
useful.  For  example,  the  mechanism  can  protect  a  security 
Kernel  in  mucn  tne  same  way  as  rings  protect  tne  Kernel  in 
the  Multics  design. 

The  usefulness  of  tne  assignment  tecnnique  in  validating 
tne  suitability  of  a  protection  mechanism  to  enforce  a 
security  policy  has  been  examined  in  this  section.  The 
validity  of  tne  assignment  tecnnique  has  been  estanisned. 
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VI.  CONCLUSION 


This  research  nas  explored.  tne  foundations  of 
non-discreti onary  security,  discovering  an  effective 
methodology  for  assessing  tne  sufficiency  of  a  protection 
mechanism  to  enforce  a  non-discreti onary  security  policy.  Ey 
formalizing  tne  notion  of  a  domain  [6,7j  ,  and  using  a  formal 
notion  of  non-discretionary  security  13],  the  inseparable 
nature  of  protection  mecnanisms  and  security  policies  has 
been  established.  This  section  considers  some  future 
directions  for  researcn  and  summarizes  tne  principle 
findings  of  the  author. 

A.  FUTURE  DIRECTIONS 

Although  this  author's  investigation  has  provided  seme 
structure  to  the  complex  nature  of  security,  considerable 
researcn  is  still  needed.  Tne  relationship  between 
protection  mechanisms  and  other  operating  systems  mechanisms 
is  not  clear.  Sucn  issues  as  seriaii za bill ty , 
synchronization  and  distributed  processing  may  add  new 
dimensions  to  tne  meaning  of  protection.  Fundamental 
limitations  regarding  implementation  details  remain  unknown. 

Additionally,  one  can  consider  tne  formalization  of 
policy  specifications  in  general.  Can  the  enforcement  of  any 
policies  other  tnan  lattice  policies  be  evaluated?  Can  an 
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enforceable  policies  be  represented  in  some  common  form  sucn 
as  a  lattice? 

One  of  tne  most  difficult  problems  in  actually  enforcing 
any  security  policy  is  tne  maintenance  of  unique 
non-forgeabie  attributes  [6]  associated  with  tne  subjects 
and  objects,  k  mechanism  for  maintaining  tne  uniqueness  of 
tnese  attributes  may  be  called  an  "isolation  mecnanism" 
because  it  isolates  those  subjects  that  may  access  tnese 
attributes  from  tnose  tnat  may  not.  This  does  not  prevent 
sharing  of  objects  but  simply  provides  a  means  of  isolating 
tnese  attributes  from  general  unprotected  usage.  Botn  tne 
capability  mecnanism  130,31]  and  the  notion  of  a  gate 
(mecnanism)  [9,28J  appear  to  be  isolation  mecnanisms.  k 
comprehensive  study  of  tnis  problem  is  beyond  the  scope  of 
tnis  discussion.  However,  a  few  observations  concerning 
isolation  noted  during  this  research  are  provided. 

Tne  fundamental  principles  upon  wnicn  an  isolation 
mechanism  must  rely  is  tne  notion  of  a  segment  (i.e.,  an 
atomic  unit  of  information  storage  for  wnicn  tne  access 
class  is  identified)  and  tne  tranquillity  principle  (i.e., 
tne  notion  tnat  tne  access  class  for  a  subject  or  an  object 
does  not  cnange  during  tne  course  of  computations)  [17J  .  If 
tnese  two  principles  are  not  enforced,  it  is  not  clear  now 
one  may  evaluate  tne  enforcement  of  any  non-discretionary 
security  policy. 
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Tne  tranquillity  principle  does  not  strictly  apply  to 
processes.  In  Multics,  for  example,  processes  nad  several 
domains  of  execution.  However,  since  a  subject  is  defined  as 
a  process-domain  pair,  one  mignt  at  first  suspect  teat  a 
process  executine  in  multiple  domains  does  not  present  a 
security  problem.  Tnis  is  not  always  tne  case,  particularly 
when  dealing  wita  policies  that  attempt  to  limit  the 
information  flow  [13 J . 

When  attempting  to  enforce  tne  National  Security  Policy 
in  a  multi-user,  multi-process  environment,  wnere  a  process 
executes  in  a  sequential  fashion  (i.e.,  the  process  is 
serializable)  one  can  do  no  better  tnan  to  allow  a  process 
to  proceed  to  its  "nigh  water  mart"  and  then  terminate  at 
that  level.  Any  attempt  to  revert  to  a  less  sensitive  access 
class  will  result  in  a  potential  compromise.  For  example, 
consider  the  compromise  technique  shown  in  figure  26. 

In  this  example,  a  malicious  agent  utilizes  the  feature 
of  sequential  processes  and  the  basic  PV  synchronization 
mechanism  [33]  to  take  tne  "info"  in  Dominance  Domain  2  and 
copy  it  into  Dominance  Domain  1.  In  order  to  do  so,  the 
agent  calls  procedures  placed  in  the  "High”  domain  by 
subversion  [3],  relyine  only  upon  one  process  (i.e.,  PP.OCi’SS 
0  or  PROCESS  1)  to  return,  thus  providing  the  information  in 
binary  form  to  tne  "Low"  domain.  Tnus  by  serialization  and 
process  synchronization  alone,  tne  isolation  of  tne 
dominance  domains  has  been  compromised. 
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Dominance 
Domain  1  (  Low  ) 


Dominance 
Domain  2  (  Hi?fi  ) 


PROCESS  S  (  Syncnronizer  ) 

lis  pim 

Gotlt  :=  1? 

Pointer  :  =  Pointer  +  1? 

P(2); 

Gotlt  :=  0? 

V(3); 

7(4)? 

GO  TO  LI? 

PROCESS  0  ("Get  a  Zero") 

L2:  CALL  ZeroProc 

IT  Gotlt  =  0,  THEN 

Copjr(Pointer)  0? 

7(1 )  ?  Sis 

7(  2)J 

p(3); 

GO  TO  L2? 

PROCESS  1  ("Get  a  One”) 

L3:  CALL  Onerroc 
IE  Gotlt  =  0, 

THEN  Copy(Pointer)  :=  1? 

7(1)?  S2 : 

7(2)? 

P<4)? 

GO  TO  L3? 


IF  Inf o (Pointer )  =  0, 
THEN  RETURN? 

IF  Gotlt  =  0, 

THEN  GO  TO  SI? 
RETURN. 


OneProc 

IF  Info  (Pointer >  =  1, 
THEN  return; 

IF  GOtlt  =  e« 

THEN  GO  TO  S2? 
RETURN. 


Info  101  . . . 


Figure  26.  Serialization  Problem. 


Note  tnat  were  toe  processes  to  act  independently  In 
eacn  dominance  domain  (i.e.,  processes  are  serializable  only 
wi?n  respect  to  a  given  dominance  domain  or  syncnroni zati on 
between  two  processes  is  not  possible)  tnis  compromise  couid 
not  occur.  In  general,  tnis  example  snows  tnat 
syncnroni za ti on  of  processes,  serialization  of  processes  ar.d 
secure  computations  are  fundamentally  related  in  some 
fasnion.  Tne  exact  nature  of  tnis  reiationsnip  is  not  clear. 

JJ.  RESULTS 

Tne  assignment  tecnnique  nas  been  snown  to  be  a  useful 
method  for  validating  tne  sufficiency  of  a  protection 
mecnanism  to  enforce  non-aiscretlonary  security  policies. 
This  method  provides  considerable  insieht  into  tne  nature  of 
access  control.  One  may  observe  tnat  non-discretionary 
security  is  dependent  only  upon  tne  dominance  domains 
estaDlisned  by  tne  systems  mecnanisms  and  tneir  associated 
permissible  access  relations.  Tne  nature  of  tne  computation 
is  of  no  concern. 

Any  non-discretionary  security  policy  for  wnicn  tne 
access  classes  and  access  relations  can  be  enumerated,  can 
be  enforced  in  a  theoretical  sense.  Actual  implementation, 
nowever,  is  dependent  upon  tne  systems'  isolation  mechanism. 
No  policy  can  be  enforced,  in  a  practical  sense,  unless  tne 
system  can  maintain  unique  non-f orgeable  attributes. 
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Protection  mecnanisms  innerentiy  "mirror”  tne  policies 
tnat  tney  enforce.  Non-discretionary  Security  policies  form 
a  lattice  of  access  classes  tnat  may  be  mapped  to  an 
isomorpnic  image  of  dominance  domains,  innerentiy 
established  by  the  protection  mecnanism.  Since  this  has  ceen 
shown,  one  need  not  illustrate  separate  lattices  for  both 
policy  and  mechanism.  One  unified  description  for  both  the 
lattice  policy  and  its  image  established  by  tne  protection 
mechanism  is  sufficient  for  general  systems  design 
considerations . 

One  -nay  also  consider  approacning  tne  assignment 
technique  from  tne  mechanism  point  of  view.  The  question 
tnen  becomes,  "Given  some  general  Protection  Mecnanism,  wnat 
form  of  policies  will  it  support?"  An  absolute  answer  to 
tnis  question  is,  in  general,  not  available.  However,  one 
can  mafce  an  evaluation  for  tnose  policies  that  are  of 
current  interest.  Tnus ,  tne  assignment  tecnnique  gives  one  a 
forum  in  which  to  consider  the  usefulness  of  protection 
mecnanisms  for  specific  policies  of  interest. 

"Uniform  protection  mecnanisms,"  i.e.,  tnose  mecnanisms 
forming  lattice  structures  of  dominance  domains  wnere  tne 
access  relations  between  any  two  antisymmetric  dominance 
domains  are  identical,  may  be  represented  by  linear  access 
graphs  in  the  same  manner  as  a  policy.  Wnen  tne  linear 
access  graph  for  tne  policy  is  similar  to  the  linear  access 
grapn  for  tne  mecnanism,  one  can  see  tnat  for  a  carefully 
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cnosen  assignment  scheme,  tne  protection  mecnanism  will 
enforce  tne  security  policy . 

One  may  consiier  tne  development  cf  a  taxonomy  of 
uniform  protection  mecnanisms  cased  upon  tne  nature  of  tne 
access  control  tnat  eacn  enforces.  Sucn  a  taxonomy  is  ceyond 
the  scope  of  this  discussion,  nowever,  the  linear  access 
graphs  illustrated  tnrougnout  tnis  text  may  De  neipful  in 
initiating  sucn  an  effort. 

Tne  protection  provided  oy  tne  Multics  Ring  mecnanism 
appears  to  be  precisely  tne  issue  tnat  Wuif,  Jones  and  tne 
otner  designers  of  tne  "HYDRa”  system  were  attempting  to 
understand  [1SJ .  They  introduce  their  discussion  by  first 
saying  : 


’’Protection  is,  in  our  view,  a  mecnanism.”  [18J 


Tneir  discussion  tnen  proceeds  to  mate  tne  following 
general  statement  relative  to  tne  Multics  rings: 


”Our  rejection  of  Hierarchical  system 
structures  and  especially  ones  which  employ  a 
single  nierarcnical  relation  for  all  aspects  of 
system  interaction,  is  also,  in  part,  a 
consequence  of  the  distinction  between  protection 
and  security.  A  failure  to  distinguish  tnese 
issues  coupled  with  a  strict  nierarcnical 
structure  leads  inevitably  to  a  succession  of 
increasingly  privileged  system^  components,  and 
ultimately  to  a  ’’most  privileged"  one,  which  gain 
their  privilege  exclusively  oy  virtue  of  tneir 
position  in  tne  hierarchy.  Sucn  structures  are 
inherently  wrong  ..."  [i9] 
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Had  the  assignment  tecnnique  been  available  to  the 
autnors  of  tne  above  statement,  tney  would  nave  been 
afforded  a  means  of  expressing  tfteir  views  more  precisely 
tnan  tne  ambiguous  pnrase  "inherently  wrong''.  Tne  assignment 
tecnnique  provides  a  precise  means  for  clearly  formulating 
sucn  an  observation  and  evaluating  its  validity.  As  snown  in 
section  7,  and  in  agreement  witn  tfulfs'  statement,  tne 
Multics  Ring  Mecnanism  is  ’’innerentiy  wrong”  witn  respect  to 
compromise  policies.  On  tne  otner  band,  tne  Multics  Ring 
Mecnanism  is  ".lust  rlgnt”  as  a  means  of  enforcing  a  program 
integrity  policy  or  assisting  in  tne  enforcement  of  tne 
systems  hierarchical  as  well  as  non-hierarchical  security 
policies  (viz.,  via  Security  Kernels). 

Additionally,  in  tne  same  report  [l8j  tne  autnors  matte 
tne  following  observation  with  respect  to  tneir  overall 
design  methodology  : 

"Among  tne  major  causes  of  our  inability  to 
experiment  with,  and  adapt,  existing  operating 
systems  is  their  failure  to  properly  separate 
mecnanisms  from  policy."  [iej 

The  assignment  technique  has  shown,  however,  that 
lattice  security  policies  and  protection  mecnanisms  tnat 
enforce  these  policies  are  inextrlcabiely  related. 
Recognizing  tnis  inseparability  should  provide  consinerAtii-e^-^ 
Insight  into  current  efforts  in  this  area. 


Overall,  assignment  researcn  nas  providea  a  matnematicai 
methodology  for  unifying  tne  discussion  of  security  related 
Issues.  One  may  now  properly  refer  to  an  access  mode  as  a 
realization  of  an  access  rignt,  a  dominance  domain  as  a 
realization  of  an  access  class  and  a  protection  mecnanism  as 
a  realization  of  a  security  policy. 
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